How would I diagnose an ssl.WRONG_VERSION_NUMBER error in python3

Question

I am using python3 ssl to connect via web sockets to an nginx server. According to my code below, I should be connecting via TLSv1_1.3 since I not using 1, 1.1, or 1.2. My ssl (OpenSSL 1.1.1h 22 Sep 2020) supports TLSv1.3.

    sslCon=None
    if self.server.startswith("wss"):
        sslCon=ssl.SSLContext(ssl.PROTOCOL_TLS)
        sslCon.options |= (
            ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 | ssl.OP_NO_TLSv1_2
        )
    self.conn = await websockets.connect(self.server, ssl=sslCon)

My NGINX config specifies TLSv1.3, but when I observer the connection over Wireshark, I see the following. Any ideas to how to diagnose this further?

Frame 3172: 308 bytes on wire (2464 bits), 308 bytes captured (2464 bits) on interface en0, id 0
Ethernet II, Src: Apple_62:32:d8 (XX:XX:XX:XX:XX:XX), Dst: Cisco_9f:f2:8f (00:00:0c:9f:f2:8f)
Internet Protocol Version 4, Src: XXX.XXX.XXX.XXX, Dst: XXX.XXX.XXX.XXX
Transmission Control Protocol, Src Port: 62035, Dst Port: 8189, Seq: 1, Ack: 1, Len: 242
Transport Layer Security
    TLSv1 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 237
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 233
            Version: TLS 1.2 (0x0303)
            Random: dccd34397b86bac156d3ae39483a268ed3536ef09a3557c3…
            Session ID Length: 32
            Session ID: ea577122c909b7c78e20dbb5f982a7be94169fac8f51886f…
            Cipher Suites Length: 8
            Cipher Suites (4 suites)
            Compression Methods Length: 1
            Compression Methods (1 method)
            Extensions Length: 152
            Extension: server_name (len=23)
            Extension: ec_point_formats (len=4)
            Extension: supported_groups (len=12)
            Extension: session_ticket (len=0)
            Extension: encrypt_then_mac (len=0)
            Extension: extended_master_secret (len=0)
            Extension: signature_algorithms (len=30)
            Extension: supported_versions (len=3)
            Extension: psk_key_exchange_modes (len=2)
            Extension: key_share (len=38)

Answer 1

        Extension: supported_versions (len=3)

You'll find the support for TLS 1.3 announced inside this extension. This is Perfectly normal, i.e. this is how TLS 1.3 works. The way with not announcing the support for TLS 1.3 directly in the ClientHello version but instead in the extension was done in order to not confuse broken TLS stacks.

How would I diagnose an ssl.WRONG_VERSION_NUMBER error in python3

First by better understanding how TLS works :)

Then by not assuming that the error message means what it says :(
Unfortunately this error message and similar strange ones often happen if one tries to connect to a server which does not speak TLS at all and when the non-TLS response of the server is just interpreted as TLS. Such situations typically happen if the wrong port is used, if the server is misconfigured or if one assumes that the protocol should start with TLS but it does not (like in case with SMTP etc which have some plain TCP initial dialog first). Thus, look at the actual data coming from the server to see if they even look like TLS.

It can also happen that due to misconfiguration or misunderstanding the server does not support the specific TLS version even if you are sure that it should. Therefore look for information in the logs the server writes, especially the error logs.