TLS 1.3 issues with self-hosted AppFlowy and Firefox

Bug Reports
1

Hi all,

I just managed to start self-hosting AppFlowy Cloud in a Podman pod behind nginx and ran into a TLS issue that I’m trying to understand. I’m hoping someone here can confirm whether this is expected/known/something worth investigating.

Setup

  • AppFlowy Cloud in a Podman pod behind nginx (TLS termination at nginx)
  • Let’s Encrypt certificates
  • Nginx 1.26.3 + OpenSSL 3.5.1 1 Jul 2025 (Library: OpenSSL 3.5.1 1 Jul 2025)
  • Web frontend and iOS app connecting to the same host from the same LAN.
  • Single user, no CDN or proxy in between

What I’m seeing

When nginx is configured to only allow TLS 1.3: ssl_protocols TLSv1.3;

  • Firefox desktop fails to log in
    The login request returns me to the login page without any visible error.
  • AppFlowy iOS app fails silently
    No requests appear in nginx access logs at all. I am however logged in, as going to the main login page gives me my workspace.
  • tcpdump does show a TCP/TLS handshake attempt from the client, followed by an immediate close.
  • nginx access logs remain empty, which suggests the failure happens during or immediately after the TLS handshake, before HTTP is established.

If I change nginx to allow TLS 1.2 + TLS 1.3: ssl_protocols TLSv1.3 TLSv1.2;

  • Firefox desktop login works
  • AppFlowy iOS app login works
  • Normal API and WebSocket traffic appears in nginx logs

Why I’m confused

Everything I’ve read suggests:

  • iOS supports TLS 1.3
  • AppFlowy is a modern app and should be TLS 1.3–capable

So I am uncertain whether:

  • AppFlowy (web or iOS) is doing something incompatible with TLS 1.3–only servers
  • nginx/OpenSSL defaults interact badly with the AppFlowy clients
  • There is a known requirement to allow TLS 1.2 fallback

I was able to get TLS 1.3–only working previously for a few minutes, but I haven’t been able to reliably reproduce it via automation yet.

Questions

  1. Is TLS 1.3–only officially supported for AppFlowy Cloud and clients?
  2. Has anyone successfully run AppFlowy behind a TLS 1.3–only nginx configuration?
  3. Are there known issues with specific cipher suites or other settings?
  4. Is TLS 1.2 fallback currently recommended for compatibility?

I’m happy to provide nginx config snippets or packet traces if helpful.

Thanks in advance — I’d like to run TLS 1.3–only if possible, but don’t want to fight undefined behavior.

Also, it took a bit of doing to get the Podman set up work, is that something people here would be interested in a post about?