Disabling in code of TLSv1.3 in OpenSSL 3

Our app links w OpenSSL 3.0.7. I need to disable TLSv1.3. Used SSL_CTX_set_max_proto_version on both client and server contexts. Results that I observe look confusing: * Connection between instanced of our app is set using TLSv1.2 and cipher suite ECDHE-RSA-AES128-GCM-SHA256 which is what I expect. * The list of ciphers reported by the app contains TLSv1.3 ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256. The list is obtained with SSL_get_cipher_list() with SSL* created from the SSL_CTX. The SSL_CTX has max proto version of TLSv1.2 set right after SSL_CTX creation. Here I expect no TLSv1.3 ciphers as TLSv1.3 is disabled. I know that docs on SSL_CTX_set_max_proto_version() and on SSL_CTX_set_cipher*() doesn't state relations between protocol versions enabled and ciphers available. * clienthello TLS messages between the app instances contain TLSv1.3 in supported_versions extension on a few initial connections. Other connections don't have that extension at all. My questions are: * Is it valid behavior to have TLSv1.3 ciphers available on the context that has TLSv1.2 set as max proto version? * Is it a good idea to set max proto version in code? May be it is too late and some default values from TLSv1.3 as above mentioned available ciphers and supported versions has already leaked? * If the answer to 2 is negative, then what is the better alternative? I see two options here, but none is ideal: a) build OpenSSL 3 library with TLSv1.3 disabled (not sure it also disables TLSv1.3 ciphers); b) use openssl.cnf to specify max proto version and - if it isn't enough - ciphersuites. Ideally I'd like to be able in code enable and disable TLSv1.3 and related cipher suites, but so far I don't see how it is possible.
http://dlvr.it/ShqMqR