ssl_reject_handshake disallow TLSv1.3

Tue Feb 8 11:15:18 UTC 2022

ssl_protocols  TLSv1.2 TLSv1.3;

server {
    listen 443 ssl default_server;
    ssl_reject_handshake on;
}

This does not allow ANY other server to be reached with TLSv1.3

server {
    listen 443 ssl default_server;
    ssl_certificate ssl/cert.pem;
    return 444;
}

This allow ANY server to be reached with TLSv1.2 or TLSV1.3 (as
configured).

See
https://stackoverflow.com/questions/71023951/ssl-alert-number-70-with-tlsv1-3/71032567#71032567

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,293611,293611#msg-293611