diff --git a/core/core.go b/core/core.go
index 3fc509ded32f..e9cf01b1824d 100644
--- a/core/core.go
+++ b/core/core.go
@@ -255,7 +255,11 @@ func (n *IpfsNode) startOnlineServices(ctx context.Context, routingOption Routin
 	libp2pOpts = append(libp2pOpts, libp2p.DefaultTransports)
 
 	// enable secio and TLS
-	libp2pOpts = append(libp2pOpts, libp2p.ChainOptions(libp2p.Security(secio.ID, secio.New), libp2p.Security(tls.ID, tls.New)))
+	if cfg.Experimental.PreferTLS {
+		libp2pOpts = append(libp2pOpts, libp2p.ChainOptions(libp2p.Security(tls.ID, tls.New), libp2p.Security(secio.ID, secio.New)))
+	} else {
+		libp2pOpts = append(libp2pOpts, libp2p.ChainOptions(libp2p.Security(secio.ID, secio.New), libp2p.Security(tls.ID, tls.New)))
+	}
 
 	if cfg.Experimental.QUIC {
 		libp2pOpts = append(libp2pOpts, libp2p.Transport(quic.NewTransport))
diff --git a/docs/experimental-features.md b/docs/experimental-features.md
index 192cd61d82f7..2bedaafb17f9 100644
--- a/docs/experimental-features.md
+++ b/docs/experimental-features.md
@@ -683,3 +683,22 @@ ipfs config --json Swarm.EnableAutoNATService true
 ### Road to being a real feature
 
 - [ ] needs testing
+
+
+## TLS 1.3 as default handshake protocol
+
+### State
+
+Every node accepts secio and TLS 1.3 connections, but prefers secio over TLS when dialing.
+
+### How to enable
+
+Modify your ipfs config:
+
+```
+ipfs config --json Experimental.PreferTLS true
+```
+
+### Road to being a real feature
+
+- [ ] needs testing