If you have this setup handy, could you check what happens if you negotiate TLS1.3 then request a directory that has per-directory SSL settings in it?
I assume it fails (renegotiation) but not sure how the logs will look. That would be one big pitfall for flipping on tls1.3.
