diff --git a/boring-nginx/Dockerfile b/boring-nginx/Dockerfile
index da908da..55dc5de 100644
--- a/boring-nginx/Dockerfile
+++ b/boring-nginx/Dockerfile
@@ -7,6 +7,8 @@ ARG NGINX_VERSION=1.11.6
 ARG GPG_NGINX="B0F4 2533 73F8 F6F5 10D4  2178 520A 9993 A1C0 52F8"
 ARG BUILD_CORES
 
+COPY tls1.3.patch /tmp/tls1.3.patch
+
 RUN echo "@commuedge https://nl.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories \
  && NB_CORES=${BUILD_CORES-$(getconf _NPROCESSORS_CONF)} \
  && BUILD_DEPS=" \
@@ -41,6 +43,7 @@ RUN echo "@commuedge https://nl.alpinelinux.org/alpine/edge/community" >> /etc/a
  && git clone https://github.com/openresty/headers-more-nginx-module --depth=1 \
  && git clone https://boringssl.googlesource.com/boringssl --depth=1 \
  && cd boringssl \
+ && patch -p1 < /tmp/tls1.3.patch \
  && mkdir build && cd build && cmake -DCMAKE_BUILD_TYPE=Release .. \
  && make -j ${NB_CORES} && cd .. \
  && mkdir -p .openssl/lib/ && cd .openssl && ln -s ../include && cd .. \
diff --git a/boring-nginx/tls1.3.patch b/boring-nginx/tls1.3.patch
new file mode 100644
index 0000000..2c1d34b
--- /dev/null
+++ b/boring-nginx/tls1.3.patch
@@ -0,0 +1,59 @@
+From c3f389dade719b7b34825d62404a88cc0d618631 Mon Sep 17 00:00:00 2001
+From: Steven Valdez <svaldez@google.com>
+Date: Thu, 13 Oct 2016 14:33:35 -0400
+Subject: [PATCH] Enabling TLS 1.3 (DRAFT).
+
+Change-Id: I2e4f0db3b8630f990911c8e104f60c048bb7450d
+---
+
+diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
+index 9cc0d9d..d4db949 100644
+--- a/ssl/s3_lib.c
++++ b/ssl/s3_lib.c
+@@ -189,7 +189,7 @@
+    * TODO(davidben): Move this field into |s3|, have it store the normalized
+    * protocol version, and implement this pre-negotiation quirk in |SSL_version|
+    * at the API boundary rather than in internal state. */
+-  ssl->version = TLS1_2_VERSION;
++  ssl->version = TLS1_3_VERSION;
+   return 1;
+ err:
+   return 0;
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index d8270f3..57343a4 100644
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -965,10 +965,6 @@
+                            uint16_t version) {
+   if (version == 0) {
+     *out = method->max_version;
+-    /* TODO(svaldez): Enable TLS 1.3 by default once fully implemented. */
+-    if (*out > TLS1_2_VERSION) {
+-      *out = TLS1_2_VERSION;
+-    }
+     return 1;
+   }
+ 
+diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
+index 5eede01..d847030 100644
+--- a/ssl/ssl_test.cc
++++ b/ssl/ssl_test.cc
+@@ -2410,7 +2410,7 @@
+   }
+ 
+   if (ctx->min_version != SSL3_VERSION ||
+-      ctx->max_version != TLS1_2_VERSION) {
++      ctx->max_version != TLS1_3_VERSION) {
+     fprintf(stderr, "Default TLS versions were incorrect (%04x and %04x).\n",
+             ctx->min_version, ctx->max_version);
+     return false;
+@@ -2574,8 +2574,7 @@
+       !TestBadSSL_SESSIONEncoding(kBadSessionExtraField) ||
+       !TestBadSSL_SESSIONEncoding(kBadSessionVersion) ||
+       !TestBadSSL_SESSIONEncoding(kBadSessionTrailingData) ||
+-      // TODO(svaldez): Update this when TLS 1.3 is enabled by default.
+-      !TestDefaultVersion(SSL3_VERSION, TLS1_2_VERSION, &TLS_method) ||
++      !TestDefaultVersion(SSL3_VERSION, TLS1_3_VERSION, &TLS_method) ||
+       !TestDefaultVersion(SSL3_VERSION, SSL3_VERSION, &SSLv3_method) ||
+       !TestDefaultVersion(TLS1_VERSION, TLS1_VERSION, &TLSv1_method) ||
+       !TestDefaultVersion(TLS1_1_VERSION, TLS1_1_VERSION, &TLSv1_1_method) ||