GRPC netty establishing TLS1.2 always even if configured TLS1.3 in sslcontext in grpc client & server

I am using NettyChannelBuilder in grpc client and NettyServerBuilder in grpc server.

I have created NettyServerBuilder with sslcontext with TLS1.3 and started the server as below
import io.grpc.ServerCredentials;
import io.grpc.TlsServerCredentials;
import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext;
import io.grpc.netty.shaded.io.netty.handler.ssl.SslContextBuilder;
import io.grpc.util.AdvancedTlsX509TrustManager;
import io.grpc.Server;
import io.grpc.netty.shaded.io.grpc.netty.NettyServerBuilder;
import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext;
import io.grpc.stub.StreamObserver;

        private Server myServer;
        CertificateData grpcCertificateData = CertificateData.SERVER_CERT;
        try {
            KeyManager serverKeyManager = myCertificateHandlerService.getServerKeyManagers(grpcCertificateData.getServiceGroup())[0];
            LOG.info("Retrieved key manager: {}", serverKeyManager);

            X509TrustManager trustManager =
                    (X509TrustManager) myCertificateHandlerService.getServerTrustManagers(grpcCertificateData.getServiceGroup())[0];
            X509Certificate[] acceptedIssuers = trustManager.getAcceptedIssuers();
            LOG.info("Retrieved CA certificates: {}", acceptedIssuers);

            SslContextBuilder builder = SslContextBuilder.forServer(serverKeyManager)
                    .trustManager(trustManager)
                    .clientAuth(ClientAuth.REQUIRE)
                    .ciphers(CIPHER_SUITES_SUPPORTED)
                    .protocols(TLS_VERSION_1_3);  // Explicitly set TLSv1.3
                    .sslProvider(SslProvider.JDK);

            NettyServerBuilder.forPort(PORT)
                        .sslContext(GrpcSslContexts.configure(builder).build())
                        .addService(new LoadReportingRpcService());
myServer = serverBuilder.directExecutor().build();
            myServer.start();

        }
        catch (Exception e) {
            LimitedLogger.logOrSuppressError(LOG, LOG_MESSAGE_DATA, "Failed to build SSL context {}", e);
        }





Also I have created NettyChannelBuilder with sslContext with TLS1.3 and invoked rpc method in grpc server as below
 
 import io.grpc.LoadBalancerRegistry;
import io.grpc.ManagedChannel;
import io.grpc.ManagedChannelBuilder;
import io.grpc.NameResolverRegistry;
import io.grpc.StatusRuntimeException;
import io.grpc.internal.DnsNameResolverProvider;
import io.grpc.internal.PickFirstLoadBalancerProvider;
import io.grpc.netty.shaded.io.grpc.netty.NettyChannelBuilder;
import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext;
import io.grpc.stub.StreamObserver;


   String serviceGroup = CertificateData.CERT_CLIENT.getServiceGroup();
        try
        {
            TrustManager[] caTrustManagers = myCertificateHandlerService.getServerTrustManagers(serviceGroup);
            KeyManager[] clientKeyManagers = myCertificateHandlerService.getClientKeyManagers(serviceGroup);
            if (caTrustManagers == null || clientKeyManagers == null)
            {
                LOG.error("NN Failed to retrieve PKI components. Server trust manager was {}, client key manager was {}, for service group {}",
                        caTrustManagers,
                        clientKeyManagers,
                        serviceGroup);
            }
            else
            {
                LOG.error("NN Configure TLS1.3 client");
                X509TrustManager caTrustManager = (X509TrustManager) caTrustManagers[0];
                KeyManager keyManager = clientKeyManagers[0];
                SslContextBuilder sslContextBuilder = SslContextBuilder.forClient()
                        .trustManager(caTrustManager)
                        .keyManager(keyManager)
                        .protocols(TLS_VERSION_1_3);
                        .sslProvider(SslProvider.JDK)
                        .ciphers(CIPHER_SUITES_SUPPORTED);
ManagedChannelBuilder<?> channelBuilder = NettyChannelBuilder.forAddress(target, GRPC_PORT);
                channelBuilder.directExecutor();
                LOG.error("NN tls enabled {}", isTlsEnabled());
                if (isTlsEnabled())
                {
                   LOG.error("NN tls enabled and start secure grpc client");
                   ((NettyChannelBuilder) channelBuilder).sslContext(GrpcSslContexts.configure(sslContextBuilder).build())).useTransportSecurity();
                }
    foundChannel = channelBuilder.build();
                ReportingServiceGrpc.ReportingServiceStub stub = ReportingServiceGrpc.newStub(foundChannel);
stub.invokeRpcMethod();
            }
        }
        catch (Exception e)
        {
            LOG.error("Failed to create ssl context for {}", serviceGroup, e);
        }

 
I


I was using below TLS1.3 ciphers in both server and client
 private static final Iterable<String> CIPHER_SUITES_SUPPORTED =
            Arrays.asList("TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256",
                    "TLS_CHACHA20_POLY1305_SHA256");


But observed that TLS1.2 connection is established always from client to server communication. Here i have configured with TLS1.3 in sslcontext in both client and server and i am using java 11. It should establish TLS1.3 right?

is it a bug in GRPC?   Otherwise please clarify me with the solution with what am i missing ?

Can anyone pls check and reply on this?

Can anyone pls check this and help us?

Do you happen to be using Conscrypt JSSE provider? We allow TLS 1.3 for IBM and ALPN JSSE providers but not for Conscrypt, for which we hard code it to TLS1.2. There is an open issue for this.