Open Zash opened 4 years ago
I did the same example in Python to see what happens and I got the same result.
It seems that TLS 1.3 needs certificate/key in the earlier stage of handshake, before SNI. Since it does not have them, it downgrades to TLS 1.2.
In a setup where certificates are selected via SNI and the default context has no certificate, connections are capped to TLS 1.2, despite TLS 1.3 being available.
Setting a default certificate and results in TLS 1.3.
To reproduce, apply the following patch to the
sni
sample and run