TLS1.3 OpenSSL tls alert unrecognized_name do not appear

Question

trying to provoke a TLS alert unrecognized_name for TLS1.3 using OpenSSL but it doesn't appear. For TLS1.2 it works. Does anyone understand why? Here are examples of commands:

openssl s_server -accept 9443 -key signed-pem.key -cert signed-pem.cert -tls1_2 -key2 anydesk.com.key -cert2 anydesk.com.cert -servername anydesk.com -cipher ALL:COMPLEMENTOFALL
Setting secondary ctx parameters
Using default temp DH parameters
ACCEPT

openssl s_client -connect 10.10.10.55:9443  -CAfile signed-pem.cert -tls1_2  -cipher DHE-RSA
-AES128-SHA -state -servername desk.com
CONNECTED(00000005)
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL3 alert read:warning:unrecognized name
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello

And for TLS1.3:

openssl s_server -accept 9443 -key signed-pem.key -cert signed-pem.cert -tls1_3 -key2 anydesk.com.key -cert2 anydesk.com.cert -servername anydesk.com -cipher ALL:COMPLEMENTOFALL
Setting secondary ctx parameters
Using default temp DH parameters
ACCEPT

openssl s_client -connect 10.10.10.55:9443  -CAfile signed-pem.cert -tls1_3  -ciphersuites TLS_AES_128_GCM_SHA256 -state -servername desk.com
CONNECTED(00000005)
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
SSL_connect:TLSv1.3 read encrypted extensions
SSL_connect:SSLv3/TLS read server certificate
SSL_connect:TLSv1.3 read server certificate verify
SSL_connect:SSLv3/TLS read finished
SSL_connect:SSLv3/TLS write change cipher spec
SSL_connect:SSLv3/TLS write finished

Answer 1

It's due to this code in OpenSSL:

https://github.com/openssl/openssl/blob/a65c8d8f737fe4e67d0b37e2b20dc1adccd93112/ssl/statem/extensions.c#L994-L997

    case SSL_TLSEXT_ERR_ALERT_WARNING:
        /* TLSv1.3 doesn't have warning alerts so we suppress this */
        if (!SSL_IS_TLS13(s))
            ssl3_send_alert(s, SSL3_AL_WARNING, altmp);

You will note in your TLSv1.2 output you see that the alert is a warning:

SSL3 alert read:warning:unrecognized name

TLSv1.3 does not use the "severity" indication within an alert. All error alerts are considered fatal. Therefore OpenSSL does not send this alert because it is not fatal in the context.