Looks like almost all our users will need to reconfigure their cipher suites, once we ship 2.4.26 and they install OpenSSL 1.1.x:
"If you explicitly configure your ciphersuites then care should be taken to ensure that you are not inadvertently excluding all TLSv1.3 compatible ciphersuites." https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/