LibreSSL Compatibility about TLS 1.3

[ixearth]

Trojan Version

I built trojan with LibreSSL and -DENABLE_MYSQL=OFF -DENABLE_SSL_KEYLOG=OFF -DENABLE_TLS13_CIPHERSUITES=OFF -DSYSTEMD_SERVICE=OFF

$ trojan -v
Welcome to trojan 1.16.0
Boost 1_72, LibreSSL 3.1.3
[Disabled] MySQL Support
 [Enabled] TCP_FASTOPEN Support
 [Enabled] TCP_FASTOPEN_CONNECT Support
[Disabled] SSL KeyLog Support
 [Enabled] NAT Support
[Disabled] TLS1.3 Ciphersuites Support
 [Enabled] TCP Port Reuse Support
OpenSSL Information
	Build Flags: compiler: information not available

Describe the bug
Built without ciphersuites support, It does not work when I replace cipher to TLS 1.3 ones.

To Reproduce
I have tried

• Replace SSL_CTX_set_ciphersuites to SSL_CTX_set_cipher_list in src/core/service.cpp, built with -DENABLE_TLS13_CIPHERSUITES=ON and use normal client.json which include cipher_tls13
• Build with -DENABLE_TLS13_CIPHERSUITES=OFF and remove cipher_tls13 from client.json and set value of cipher to the value of cipher_tls13
  Both give me the same error SSL handshake failed with <remote_addr>:<remote_port>: sslv3 alert handshake failure.

Expected behavior
I thought it could work when ciphersuites support was off and the value of cipher is set to TLS 1.3 one.

Logs
Trojan (client)

$ trojan -c config.json
Welcome to trojan 1.16.0
[2020-07-19 16:54:52] [WARN] trojan service (client) started at 127.0.0.1:1080
[2020-07-19 16:55:42] [ERROR] 127.0.0.1:58954 SSL handshake failed with <remote_addr>:<remote_port>: sslv3 alert handshake failure

Firefox, while accessing google.com with this proxy
An error occurred during a connection to www.google.com. PR_END_OF_FILE_ERROR

Environment
Void Linux, a linux distro which use LibreSSL instead of OpenSSL.
libressl-3.1.3_1
boost-1.72.0_3

Additional context
https://man.openbsd.org/SSL_CTX_set_cipher_list.3

CAVEATS
     In LibreSSL, SSL_CTX_set_cipher_list() and SSL_set_cipher_list() can be
     used to configure the list of available cipher suites for all versions of
     the TLS protocol, whereas in OpenSSL, they only control cipher suites for
     protocols up to TLSv1.2.  If compatibility with OpenSSL is required, the
     list of available TLSv1.3 cipher suites can only be changed with
     SSL_set_ciphersuites().

So I guess it won't be hard to add LibreSSL TLSv1.3 support? But why I got this error? I would like to test if you provide patches.

[wongsyrone]

LibreSSL doesn't implement it yet.
LibreSSL only supports TLS 1.3 for clients, not yet servers
libressl/portable#228 (comment)

[wongsyrone]

To make it clear, use OpenSSL instead.

We have released LibreSSL 3.1.1, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.

This is the first stable release from the 3.1 series, which is included
with OpenBSD 6.7. It includes the following changes from 3.0:

 * New Features
   - Completed initial TLS 1.3 implementation with a completely new state
     machine and record layer. TLS 1.3 is now enabled by default for the **client**
     side, with the server side to be enabled in a future release. Note that
     the **OpenSSL TLS 1.3 API is not yet visible/available**.
   - Improved cipher suite handling to automatically include TLSv1.3 cipher
     suites when they are not explicitly referred to in the cipher string.

https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.1.1-relnotes.txt

We have released LibreSSL 3.2.0, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.

This is the first **development release from the 3.2.x series**, which will
eventually be part of OpenBSD 6.8.  It includes the following changes:

    * Enable TLS 1.3 server side in addition to client by default.
      With this change TLS 1.3 is handled entirely on the new stack
      and state machine, with fallback to the legacy stack and
      state machine for older versions. **Note that the OpenSSL TLS 1.3
      API is not yet visible/available.**

https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.0-relnotes.txt