diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 2122a6e070..9e0ea7950e 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -253,6 +253,12 @@ static int ssl_tls13_parse_key_shares_ext( mbedtls_ssl_context *ssl,
 
             match_found = 1;
             MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
+            ret = psa_crypto_init();
+            if( ret != PSA_SUCCESS )
+            {
+                MBEDTLS_SSL_DEBUG_RET( 1, "psa_crypto_init()", ret );
+                return( ret );
+            }
             ret = mbedtls_ssl_tls13_read_public_ecdhe_share( ssl, p - 2, end - p + 2 );
             if( ret != 0 )
                 return( ret );
@@ -648,7 +654,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
      * - The entire content of the CH message, if no PSK extension is present
      * - The content up to but excluding the PSK extension, if present.
      */
-    mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
+    mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
                                         buf, p - buf );
     /*
      * Search for a matching ciphersuite
@@ -793,6 +799,11 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl )
 
             break;
 
+        case MBEDTLS_SSL_SERVER_HELLO:
+            MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSL - The requested feature is not available" ) );
+            return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+            break;
         default:
             MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
             return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index dac868f49d..d870076884 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -10219,6 +10219,8 @@ run_test    "TLS 1.3: Server side check, ciphersuite TLS_AES_256_GCM_SHA384 - op
             "$O_NEXT_CLI -msg -tls1_3" \
             1 \
             -s " tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
+            -s " tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
+            -s " SSL - The requested feature is not available" \
             -s "=> parse client hello" \
             -s "<= parse client hello"
 
@@ -10231,9 +10233,11 @@ requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
 run_test    "TLS 1.3: Server side check, ciphersuite TLS_AES_128_GCM_SHA256 - gnutls" \
             "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \
-            "$G_NEXT_CLI -d 4 localhost --priority=NONE:+AES-128-GCM:+SHA256:+AEAD:+VERS-TLS1.3:%NO_TICKETS" \
+            "$G_NEXT_CLI localhost -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \
             1 \
             -s " tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
+            -s " tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
+            -s " SSL - The requested feature is not available" \
             -s "=> parse client hello" \
             -s "<= parse client hello"