Does TLS require a client certificate?

How do I enable TLS 1.3 on clients?

How do I enable TLS 1.

3 on clients? How to set client side tlsversionmin & tlsversionmax? Clients use the ClientHello message (of type HandshakeType/15) to inform the server of the protocol version they wish to speak. The protocol version is defined in section 6.2 of RFC 8446, and for example in the ClientHello message for TLS 1.3 one can see (in the TLSCipherSuite structure):
Struct TLSCipherSuite. Where the integer part of the value in the struct is a bitmask of protocols which the client is willing to accept, and the fractional part indicates the protocol version (as part of the uint16). It looks like TLS 1.3 does not yet have any defined cipher suite versions so setting the 'ciphersuite' field in the struct to 1 allows client and server to agree on the lowest compatible protocol version.

What is the difference between TLS 1.2 and 1.3 certificate?

I have an SSL certificate from letsencrypt.

Org and it has a compatibility of TLS 1.2.

I created another certificate from letsencrypt.org which has a compatibility of TLS 1.3.

Is there a difference between the two certificates, or is this just a feature of letsencrypt. TLS 1.2 is a protocol version that was finalized in 2025. It has various features that make it compatible with various kinds of devices. As of this date, most modern browsers don't support it. There is one notable exception: Google Chrome has always supported TLS 1.2 as of version 63.

TLS 1.3 is a protocol version that was finalized in 2025. The goal is to replace TLS 1.2, but nobody has been able to implement it yet. It is currently on a hold status at the IETF. I believe that it won't be implemented until all of the browser vendors are ready to upgrade. As far as I know, Google Chrome isn't going to be upgrading to it. I'm not sure if any of the other major browsers are planning to do so.

You can see how the major browser vendors (Google, Mozilla, Microsoft, Apple, Opera, etc) view the progress of the TLS 1.

Does TLS 1.3 require a new certificate?

We are thinking of getting a new certificate (or getting our current certificate re-issued), to get TLS 1.3 support on our web server.

Does this mean we will need to buy a new certificate? Or can we just use the same one, and add TLS 1.3 support to it? It depends. The only requirement is that the certificate have a Subject Common Name (SCN) that is a TLS 1.3-compatible algorithm name. (In general, if you're going to use a certificate that's not already issued for the server, you'll have to look for one with a Subject Alternative Name or Subject Alt Name that matches the host name of the server.)
If you have a certificate issued in the past for the same host name and want to upgrade to TLS 1.3, then you don't need to do anything.

If you have a certificate issued for the host name and want to switch to a different host name, then you'll need to update the certificate. The problem is that many people have certificates that have been issued for a particular host name but whose names haven't been updated for years. If you try to use a certificate like that in a new context, it won't be able to verify against the CA-signed certificate chain of trust.

There are a couple of ways to fix this. One is to get a new certificate for the new host name. Another is to change the subject name of the certificate to match the new host name. If you've issued a certificate for a host name and your certificate names have never been updated to match the new host name, then you'll need to generate a new certificate and re-issue the old one. If your certificate names have been updated to match the new host name, then you don't need to do anything.

A lot of people use the Subject Alternative Names (SANs) that are included in the certificate. These can be used for both backward and forward compatibility, even when the subject name doesn't match the name of the server.