--- native/include/ssl_private.h	(revision 1842283)
+++ native/include/ssl_private.h	(working copy)
@@ -84,6 +84,7 @@ 
 #define SSL_PROTOCOL_TLSV1      (1<<2)
 #define SSL_PROTOCOL_TLSV1_1    (1<<3)
 #define SSL_PROTOCOL_TLSV1_2    (1<<4)
+#define SSL_PROTOCOL_TLSV1_3    (1<<5)
 
 #define SSL_MODE_CLIENT         (0)
 #define SSL_MODE_SERVER         (1)
@@ -180,6 +181,10 @@ 
 #define HAVE_TLSV1_2
 #endif
 
+#if defined(SSL_OP_NO_TLSv1_3)
+#define HAVE_TLSV1_3
+#endif
+
 /* Check for SSL_CONF support */
 #if defined(SSL_CONF_FLAG_FILE)
 #define HAVE_SSL_CONF_CMD
--- native/src/sslcontext.c	(revision 1842283)
+++ native/src/sslcontext.c	(working copy)
@@ -152,7 +152,19 @@ 
     }
 
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
-    if (protocol == SSL_PROTOCOL_TLSV1_2) {
+    if (protocol == SSL_PROTOCOL_TLSV1_3) {
+#ifdef HAVE_TLSV1_3
+        if (mode == SSL_MODE_CLIENT)
+            ctx = SSL_CTX_new(TLSv1_3_client_method());
+        else if (mode == SSL_MODE_SERVER)
+            ctx = SSL_CTX_new(TLSv1_3_server_method());
+        else
+            ctx = SSL_CTX_new(TLSv1_3_method());
+#else
+        tcn_Throw(e, "TLSv1.3 requested but not supported by this version of OpenSSL");
+        goto init_failed;
+#endif
+    } else if (protocol == SSL_PROTOCOL_TLSV1_2) {
 #ifdef HAVE_TLSV1_2
         if (mode == SSL_MODE_CLIENT)
             ctx = SSL_CTX_new(TLSv1_2_client_method());
@@ -241,9 +253,19 @@ 
     if (!(protocol & SSL_PROTOCOL_TLSV1_2))
         SSL_CTX_set_options(c->ctx, SSL_OP_NO_TLSv1_2);
 #endif
+#ifdef HAVE_TLSV1_3
+    if (!(protocol & SSL_PROTOCOL_TLSV1_3))
+        SSL_CTX_set_options(c->ctx, SSL_OP_NO_TLSv1_3);
+#endif
 
 #else /* if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) */
     /* We first determine the maximum protocol version we should provide */
+#ifdef HAVE_TLSV1_3
+    if (protocol & SSL_PROTOCOL_TLSV1_3) {
+        prot = TLS1_3_VERSION;
+    } else
+/* NOTE the dangling else above: take care to preserve it */
+#endif
     if (protocol & SSL_PROTOCOL_TLSV1_2) {
         prot = TLS1_2_VERSION;
     } else if (protocol & SSL_PROTOCOL_TLSV1_1) {
@@ -261,6 +283,12 @@ 
 
     /* Next we scan for the minimal protocol version we should provide,
      * but we do not allow holes between max and min */
+#ifdef HAVE_TLSV1_3
+    if (prot == TLS1_3_VERSION && protocol & SSL_PROTOCOL_TLSV1_2) {
+        prot = TLS1_2_VERSION;
+    } else
+/* NOTE the dangling else above: take care to preserve it */
+#endif
     if (prot == TLS1_2_VERSION && protocol & SSL_PROTOCOL_TLSV1_1) {
         prot = TLS1_1_VERSION;
     }