Why is the MinVersion flag being ignored in my Go code?

Question

I'm trying to debug a failing connection to a given host. I've recorded packet captures for successful requests made to this host via the browser, as well as unsuccessful requests made via my Go code below:

package main

import (
        "crypto/tls"
        "log"
)

func main() {
        log.SetFlags(log.Lshortfile)

        conf := &tls.Config{
                //InsecureSkipVerify: true,
                MinVersion: tls.VersionTLS13,
                MaxVersion: tls.VersionTLS13,
        }


        conn, err := tls.Dial("tcp", "x.x.x.x:443", conf)
        if err != nil {
                log.Println(err)
                return
        }
        defer conn.Close()

        n, err := conn.Write([]byte("hello\n"))
        if err != nil {
                log.Println(n, err)
                return
        }

        buf := make([]byte, 100)
        n, err = conn.Read(buf)
        if err != nil {
                log.Println(n, err)
                return
        }

        println(string(buf[:n]))
}

After inspecting the Client Hello packet in both the successful and unsuccessful requests, I've noticed that successful requests uses TLSv1.3 versus unsuccessful requests which use TLSv1.2.

My code above specifies that I only want to use TLSv1.3 in my request, but for whatever reason the request still attempts to use TLSv1.2. I've tried consulting various example http clients written in go, and have confirmed that I'm using the correct syntax. Any ideas what I'm doing wrong here?

Answer 1

TLS 1.3 handshake also begins with a TLS 1.2 Client Hello

If we specify TLS 1.3 in golang code, in the supported_versions extension there's only one TLS 1.3

If the server did not support TLS 1.3 or any other reason,the connection failed in handshake phase, it would looks like a failed TLS 1.2 connection.