Terms

• I have read the guidelines for Contributing to Roots Projects
• This request is not a duplicate of an existing issue
• I have read the docs and followed them (if applicable)
• I have seached the Roots Discourse for answers and followed them (if applicable)
• This is not a personal support request that should be posted on the Roots Discourse community

Description

What's wrong?

TLS1.3 is not working on one of my servers, with the current trellis ssl config.

For the context: it's a satispress server on a subdomain, eg https://satis.mydomain.com. This is preventing latest composer versions to access this server, as it requires http2, and http2 requires tls1.3

TLS1.2 is working fine.

The culprit config lines seem to be

If I comment it out, TLS1.3 works again.

I've read that for TLS1.3 to work, every server block needs to include the ssl configuration.
A simple fix could be to add

include h5bp/directive-only/ssl.conf;

to the no-default ssl conf, but I'm not sure of the implications.

Steps To Reproduce

Not sure, the issue could be specific to my setup (subdomain, etc..)

Expected Behavior

TLS1.3 works.

Actual Behavior

TLS1.3 is not offered, as a tool like https://geekflare.com/tools/tls-scanner shows.

Relevant Log Output

❯ openssl s_client -tls1_3 -connect satis.mydomain.com:443

CONNECTED(00000003)
40C7E6F9E47F0000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:../ssl/record/rec_layer_s3.c:1584:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 257 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Qualys tests shows A+ grade, but in the detailed log, I can see that TLS1.3 is not offered.

Versions

1.20.0