Why does TLS1.3 use same cipher suite for RSA and ECC key pairs?

As per this answer RSA and ECC certificates should use different cipher suites. I tried to test it. It holds true for TLSv1.2. But for TLSv1.3 I see same cipher suite being used for both types of certificates(Tested via Google Chrome=>Dev Tools=>Security). Why is that?

Here is how I generated an ECC cert:

openssl ecparam -out nginx.key -name prime256v1 -genkey openssl req -new -key nginx.key -out csr.pem openssl req -x509 -nodes -days 365 -key nginx.key -in csr.pem -out nginx.pem 

Generating RSA cert:

 openssl genrsa -out rsa.key 2048  openssl req -x509 -new -nodes -key rsa.key -days 7300 -out rsa.pem 

With TLS1.3 both the certs result in usage of same cipher suite:

The connection to this site is encrypted and authenticated using TLS 1.3,  X25519, and AES_256_GCM. 

With TLS1.2, RSA cert:

    The connection to this site is encrypted and authenticated using TLS 1.2,  ECDHE_RSA with X25519, and AES_256_GCM. 

With TLS1.2, ECC cert:

The connection to this site is encrypted and authenticated using TLS 1.2,  ECDHE_ECDSA with X25519, and AES_256_GCM. 

Are there any OpenVPN 2.4.7 Windows builds compiled against OpenSSL 1.1.1 for TLS1.3 support? [on hold]

As of February, 2019, the OpenVPN 2.4.7 Windows default build is currently compiled against OpenSSL 1.1.0j. As a result, it seems not support TLS 1.3 yet. (tls-version-min 1.3 and tls-ciphersuites commands are unavailable.)

I wonder are there any OpenVPN 2.4.7 Windows builds that support TLS1.3?

[moved from here]

Are there any OpenVPN 2.4.7 Windows builds compiled against OpenSSL 1.1.1 for TLS1.3 support?

As of February, 2019, the OpenVPN 2.4.7 Windows default build is currently compiled against OpenSSL 1.1.0j. As a result, it seems not support TLS 1.3 yet. (tls-version-min 1.3 and tls-ciphersuites commands are unavailable.)

I wonder are there any OpenVPN 2.4.7 Windows builds that support TLS1.3?

Why is TLS1.2 wrapped in TLS1.3?

I was just curious about TLS1.3 which Cloudflare is one of the companies leading the implementation. I then visited blog.cloudflare.com and turned on my Wireshark. I am not 100% clear about all technical details of TLS1.3, but one of the new features that I was particularly interested in is Encrypted-SNI, which aims to hide the intended visiting domain name.

I check the pcap, saw both Client Hello and Server Hello as follow: enter image description here

I was surprised to see TLS1.2 was wrapped in the TLS1.3 packet, and the SNI part of TLS1.2 is still there, exposing the server name.

cl

So I wonder whether this is the implementation error or I have been downgraded by the server or any MitM? Note that I already configure my Firefox browser to force TLS1.3 only, thus it’s not the issue of my browser.