diff --git a/handler/redirect/tcp/handler.go b/handler/redirect/tcp/handler.go
index 3f8ede3..a81a8a2 100644
--- a/handler/redirect/tcp/handler.go
+++ b/handler/redirect/tcp/handler.go
@@ -109,9 +109,10 @@ func (h *redirectHandler) Handle(ctx context.Context, conn net.Conn, opts ...han
 			conn.SetReadDeadline(time.Time{})
 		}
 		rw = xio.NewReadWriter(io.MultiReader(bytes.NewReader(hdr[:n]), rw), rw)
+		tlsVersion := binary.BigEndian.Uint16(hdr[1:3])
 		if err == nil &&
 			hdr[0] == dissector.Handshake &&
-			binary.BigEndian.Uint16(hdr[1:3]) == tls.VersionTLS10 {
+			(tlsVersion >= tls.VersionTLS10 && tlsVersion <= tls.VersionTLS13) {
 			return h.handleHTTPS(ctx, rw, conn.RemoteAddr(), dstAddr, log)
 		}
 
diff --git a/handler/sni/handler.go b/handler/sni/handler.go
index ab7acb8..f99161f 100644
--- a/handler/sni/handler.go
+++ b/handler/sni/handler.go
@@ -90,8 +90,10 @@ func (h *sniHandler) Handle(ctx context.Context, conn net.Conn, opts ...handler.
 	}
 
 	rw := xio.NewReadWriter(io.MultiReader(bytes.NewReader(hdr[:]), conn), conn)
+
+	tlsVersion := binary.BigEndian.Uint16(hdr[1:3])
 	if hdr[0] == dissector.Handshake &&
-		binary.BigEndian.Uint16(hdr[1:3]) == tls.VersionTLS10 {
+		(tlsVersion >= tls.VersionTLS10 && tlsVersion <= tls.VersionTLS13) {
 		return h.handleHTTPS(ctx, rw, conn.RemoteAddr(), log)
 	}
 	return h.handleHTTP(ctx, rw, conn.RemoteAddr(), log)
diff --git a/internal/util/forward/forward.go b/internal/util/forward/forward.go
index 42a4b93..17b007b 100644
--- a/internal/util/forward/forward.go
+++ b/internal/util/forward/forward.go
@@ -21,9 +21,10 @@ func Sniffing(ctx context.Context, rdw io.ReadWriter) (rw io.ReadWriter, host st
 	var hdr [dissector.RecordHeaderLen]byte
 	n, err := io.ReadFull(rw, hdr[:])
 	rw = xio.NewReadWriter(io.MultiReader(bytes.NewReader(hdr[:n]), rw), rw)
+	tlsVersion := binary.BigEndian.Uint16(hdr[1:3])
 	if err == nil &&
 		hdr[0] == dissector.Handshake &&
-		binary.BigEndian.Uint16(hdr[1:3]) == tls.VersionTLS10 {
+		(tlsVersion >= tls.VersionTLS10 && tlsVersion <= tls.VersionTLS13) {
 		rw, host, err = sniffSNI(ctx, rw)
 		protocol = ProtoTLS
 		return