diff --git a/doc/next/6-stdlib/99-minor/crypto/tls/version_pref.md b/doc/next/6-stdlib/99-minor/crypto/tls/version_pref.md
new file mode 100644
index 0000000000..5686f3ca0a
--- /dev/null
+++ b/doc/next/6-stdlib/99-minor/crypto/tls/version_pref.md
@@ -0,0 +1 @@
+TLS servers now prefer the highest supported protocol version, even if it isn't the client's most preferred protocol version.
diff --git a/src/crypto/tls/bogo_config.json b/src/crypto/tls/bogo_config.json
index 61585938d7..191f48fc02 100644
--- a/src/crypto/tls/bogo_config.json
+++ b/src/crypto/tls/bogo_config.json
@@ -66,7 +66,6 @@
         "SupportTicketsWithSessionID": "TODO: first pass, this should be fixed",
         "NoNullCompression-TLS12": "TODO: first pass, this should be fixed",
         "KeyUpdate-RequestACK": "TODO: first pass, this should be fixed",
-        "IgnoreClientVersionOrder": "RFC 8446 4.2.1 says supported_versions is in client pref order",
         "SupportedVersionSelection-TLS12": "TODO: first pass, this should be fixed",
         "DuplicateExtensionServer-TLS-TLS1": "TODO: first pass, this should be fixed",
         "DuplicateExtensionClient-TLS-TLS1": "TODO: first pass, this should be fixed",
diff --git a/src/crypto/tls/common.go b/src/crypto/tls/common.go
index 71b9ddb02c..1aaad7aba1 100644
--- a/src/crypto/tls/common.go
+++ b/src/crypto/tls/common.go
@@ -1233,11 +1233,11 @@ func (c *Config) supportsCurve(version uint16, curve CurveID) bool {
 }
 
 // mutualVersion returns the protocol version to use given the advertised
-// versions of the peer. Priority is given to the peer preference order.
+// versions of the peer. The highest supported version is preferred.
 func (c *Config) mutualVersion(isClient bool, peerVersions []uint16) (uint16, bool) {
 	supportedVersions := c.supportedVersions(isClient)
-	for _, v := range peerVersions {
-		if slices.Contains(supportedVersions, v) {
+	for _, v := range supportedVersions {
+		if slices.Contains(peerVersions, v) {
 			return v, true
 		}
 	}