TLSv1.3 handshake fails when proxy_protocol is enabled on loxilb

[jotiao]

Describe the bug
When proxy_protocol is enabled on loxilb, TLSv1.3 handshakes consistently fail, while TLSv1.2 works normally.
Disabling proxy_protocol immediately restores normal TLSv1.3 behavior.

To Reproduce

curl (TLSv1.3)

curl --tlsv1.3 https://<vip>/ -vvv

Output:

* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS alert, protocol version (582):
* OpenSSL/3.0.17: error:0A00042E:SSL routines::tlsv1 alert protocol version
* Closing connection 0
curl: (35) OpenSSL/3.0.17: error:0A00042E:SSL routines::tlsv1 alert protocol version

openssl s_client (TLSv1.3)

openssl s_client -connect <vip>:443 -tls1_3

Output:

CONNECTED(00000003)
error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
SSL alert number 70
SSL handshake has read 7 bytes and written 225 bytes
no peer certificate available

Expected behavior
TLSv1.3 handshake should succeed normally when proxy_protocol is enabled, same as TLSv1.2.

Screenshots

Environment (please complete the following information):

• OS: rocky linux 8.10
• Kernel Version: 6.15.3
• LoxiLB Version: v0.9.8.4
• K8s Version

[backguynn]

Hello. We’ve reviewed the issue you raised. Currently, LoxiLB supports up to TLS 1.2 only. We’ve received many requests regarding support for TLS 1.3. Taking this feedback, including yours, into account, we’ve set TLS 1.3 support as a high priority.

[shcherbak]