id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 2071 ssl_reject_handshake on introduced in nginx 1.19.4 works but disables TLSv1.3? i81b4u@… "After ""adding ssl_reject_handshake on;"" to my configuration, everything seemed to work as intended, but after closer inspection I found that TLSv1.3 was no longer used. After disabling the first server directive and restarting nginx, TLSv1.3 started working again: server { listen 443 ssl http2; listen [::]:443 ssl http2; ssl_reject_handshake on; } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name test.server; # logging access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log warn; set $base /var/www/default; root $base; # SSL ssl_certificate /opt/nginx/etc/ssl/certs/test.server.pem; ssl_certificate_key /opt/nginx/etc/ssl/keys/test.server.key; # index.html index index.html; # limit HTTP methods location / { limit_except GET POST { deny all; } } location ~* (mp3|mp4|m4v)$ { add_header Content-Disposition ""attachment""; } } The ssl-config is as follows: ssl_session_timeout 1d; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_dyn_rec_enable on; ssl_ecdh_curve X25519:secp521r1:secp384r1:prime256v1; ssl_prefer_server_ciphers on; ssl_buffer_size 4k; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE+AESGCM; " defect closed minor documentation 1.19.x wontfix TLSv1.3 ssl_reject_handshake Linux linuxhost 5.4.0-21-generic #25-Ubuntu SMP Sat Mar 28 13:10:28 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux "nginx version: nginx/1.19.4 built by gcc 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04) built with OpenSSL 1.1.1h 22 Sep 2020 TLS SNI support enabled configure arguments: --with-cc-opt='-g0 -O2 -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -march=native -pipe -flto -funsafe-math-optimizations --param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/opt/nginx --conf-path=/opt/nginx/etc/nginx.conf --sbin-path=/opt/nginx/sbin/nginx --http-client-body-temp-path=/var/tmp/client_body_temp --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --modules-path=/opt/nginx/lib/modules --http-fastcgi-temp-path=/opt/nginx/lib/fastcgi --http-proxy-temp-path=/opt/nginx/lib/proxy --http-scgi-temp-path=/opt/nginx/lib/scgi --http-uwsgi-temp-path=/opt/nginx/lib/uwsgi --user=www-data --group=www-data --with-openssl=/usr/src/openssl --with-openssl-opt='enable-tls1_3 enable-ec_nistp_64_gcc_128' --add-module=/usr/src/ngx_brotli --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module"