ssl_protocols TLSv1.2 TLSv1.3;
server {
listen 443 ssl default_server;
ssl_reject_handshake on;
}
This does not allow ANY other server to be reached with TLSv1.3
server {
listen 443 ssl default_server;
ssl_certificate ssl/cert.pem;
return 444;
}
This allow ANY server to be reached with TLSv1.2 or TLSV1.3 (as configured).
See https://stackoverflow.com/questions/71023951/ssl-alert-number-70-with-tlsv1-3/71032567#71032567