カールは「Client Hello」にTLSv1.3を表示しますが、tsharkが「TLSv1」を表示するのはなぜですか?

カールは「Client Hello」にTLSv1.3を表示しますが、tsharkが「TLSv1」を表示するのはなぜですか?

カールの出力指示ですTLSv1.3 (OUT), TLS handshake, Client hello (1)--tlsv1.3強制的に使用するには、以下を使用してくださいTLSv1.3

$ curl -6 --tlsv1.3  --tls13-ciphers TLS_AES_256_GCM_SHA384 -vL https://icanhazip.com
*   Trying 2606:4700::6812:7261:443...
* TCP_NODELAY set
* Connected to icanhazip.com (2606:4700::6812:7261) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLS 1.3 cipher selection: TLS_AES_256_GCM_SHA384
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
*  start date: Apr  7 00:00:00 2023 GMT
*  expire date: Apr  6 23:59:59 2024 GMT
*  subjectAltName: host "icanhazip.com" matched cert's "icanhazip.com"
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55eab1370300)
> GET / HTTP/2
> Host: icanhazip.com
> user-agent: curl/7.68.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200 
< date: Tue, 19 Sep 2023 15:25:06 GMT
< content-type: text/plain
< content-length: 39
< access-control-allow-origin: *
< access-control-allow-methods: GET
< set-cookie: ...; path=/; expires=Tue, 19-Sep-23 15:55:06 GMT; domain=.icanhazip.com; HttpOnly; Secure; SameSite=None
< server: cloudflare
< cf-ray: ...
< alt-svc: h3=":443"; ma=86400
< 
2001:...
* Connection #0 to host icanhazip.com left intact
$

ただし、tsharkを使用してパケットをチェックすると、最初の「Client Hello」が「TLSv1」と表示されます。以降のレコードには TLSv1.3 が表示されます。

$ tshark -i wlo1 -Y "tls"
Capturing on 'wlo1'
    6 0.104130915 <my IPv6 IP> → 2606:4700::6812:7261 TLSv1 341 Client Hello
    8 0.155371691 2606:4700::6812:7261 → <my IPv6 IP> TLSv1.3 2726 Server Hello, Change Cipher Spec, Application Data
   10 0.155931670 <my IPv6 IP> → 2606:4700::6812:7261 TLSv1.3 166 Change Cipher Spec, Application Data
   11 0.156028365 <my IPv6 IP> → 2606:4700::6812:7261 TLSv1.3 181 Application Data, Application Data
   12 0.156320000 <my IPv6 IP> → 2606:4700::6812:7261 TLSv1.3 181 Application Data, Application Data
   15 0.204002604 2606:4700::6812:7261 → <my IPv6 IP> TLSv1.3 655 Application Data, Application Data
   16 0.204002660 2606:4700::6812:7261 → <my IPv6 IP> TLSv1.3 439 Application Data
   17 0.204181004 <my IPv6 IP> → 2606:4700::6812:7261 TLSv1.3 117 Application Data
   18 0.204188232 2606:4700::6812:7261 → <my IPv6 IP> TLSv1.3 156 Application Data
   19 0.204188303 2606:4700::6812:7261 → <my IPv6 IP> TLSv1.3 117 Application Data
   21 0.204599136 <my IPv6 IP> → 2606:4700::6812:7261 TLSv1.3 110 Application Data
^C11 packets captured

2つの出力に違いがあるのはなぜですか?

私の初期の問題はcurl --tlsv1.3。ただし、そうでない場合は、--tlsv1.3カールの出力が表示されてもHTTP 403応答を受け取りますTLSv1.3。まず、この違いを理解する必要があります。

関連情報