Comment 30 for bug 1865900

@vladimir-mencl: what you are seeing is actually this bug:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1834671

Basically, with TLSv1.3 you need a client that supports post-handshake authentication.

Some clients, such as Firefox for example, support it but it needs to be enabled, as it's disabled by default, see security.tls.enable_post_handshake_auth in about:config.

The best course of action if you don't control the clients connecting to your web server is probably to disable TLSv1.3.