FTP explicit TLS connection problem with some minimal TLS versions

winscp632 (win10): default setting for explicit TLS is Minimal version TLS 1.2 (test3)
test1: min version TLS 1.0, wireshark reports Client Hello TLSv12 connection OK
test2: min version TLS 1.1, wireshark reports Client Hello TLSv12 connection OK
test3: min version TLS 1.2, wireshark reports Client Hello TLSv1, Server closed connection (no shared ciphers)
test4: min version TLS 1.3, wireshark reports Client Hello TLSv1, Server closed conenction (no shared ciphers)
Could you explain, why wireshark reports Client Hello TLSv1, when I ser TLS 1.2/1.3 ?

winscp5.21.8portable (win10):
test1: min version TLS 1.0, wireshark reports Client Hello TLSv12, connection OK
test2: min version TLS 1.1, wireshark reports Client Hello TLSv12, connection OK
test3: min version TLS 1.2, wireshark reports Client Hello TLSv12, connection OK
test4: min version TLS 1.3, wireshark reports Client Hello TLSv1, Server closed conenction (no shared ciphers)

I think thist part of setting-vs-using need rework. Also missing default value in RAW options is confused (if you setup non-default value, then configuration options is in config). Developers, please, take a look at this.

I'm sorry, but I do not understand your last post. Can you please try again? Can you describe step-by-step what are you doing and how did it go wrong?

Look at first and second post.

Of course that I've looked at them. But I still do not understand it. Please explain.

Server closed connection is problem.

Please attach a full session log file showing the problem (using the latest version of WinSCP).

Test logs (version TLSmin-TLSmax)
WinSCP Version 5.21.8 TLSv1.2-TLSv1.2.log working
WinSCP Version 6.1.2 TLSv1.2-TLSv1.2.log working
WinSCP Version 6.2 beta TLSv1.2-TLSv1.2.log error
WinSCP Version 6.3.3 TLSv1.2-TLSv1.2.log error
WinSCP Version 6.3.3 TLSv1.1-TLSv1.2.log working
I found that problem is since version 6.2 beta.
If I compare log 6.1.2 TLSv1.2-TLSv1.2 and 6.3.3 TLSv1.1-TLSv1.2 they look identical.
Why is 6.3.3 TLSv1.2-TLSv1.2 not working?

Thanks. Is you server publicly accessible on the Internet? Can we get a full hostname, so that we can test on our own? (no credentials are needed)

I can not give you access. I make pcaps to compare differencies.
Nemozem ti dat pristup. Spravim pcaps, aby sa zistili rozdiely.

I found cause (tcpdump analysis)
WinSCP Version 6.3.3 TLSv1.2-TLSv1.2.log error
-Signature Hash Algorithms (23 algorithms)
-SHA1 support is missing
WinSCP Version 6.3.3 TLSv1.1-TLSv1.2.log working
-Signature Hash Algorithms (26 algorithms)
-SHA1 is supported (algorithms 0x201, 0x202, 0x203)
It is caused by OpenSSL 3.1.3
* X509 certificates signed using SHA1 are no longer allowed at security level 1 and above.
Solution: We make new server certificate with current security standards.
Thank you for conversation.

Just final confirmation:
After changing server certificate from SHA1 to SHA256 is connection working in all version mentioned above.
Thank you, this case is solved.

Thanks for sharing your solution!