TLS is an extensible protocol. TLS 1.3 is backwards-compatible and may be incrementally rolled out in an existing compliant TLS 1.2 deployment. Yet we had problems. Widespread non-compliant servers broke on the TLS 1.3 ClientHello, so versioning moved to supported_versions. Widespread non-compliant middleboxes attempted to parse someone else’s ServerHellos, so the protocol was further hacked to weave through their many defects.