Index: aclocal/tcltls_openssl.m4
==================================================================
--- aclocal/tcltls_openssl.m4
+++ aclocal/tcltls_openssl.m4
@@ -1,19 +1,46 @@
 dnl $1 = Name of variable
 dnl $2 = Name of function to check for
 dnl $3 = Name of protocol
 dnl $4 = Name of CPP macro to define
+dnl $5 = Name of CPP macro to check for instead of a function
 AC_DEFUN([TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER], [
 	dnl Determine if particular SSL version is enabled
 	if test "[$]$1" = "true" -o "[$]$1" = "force"; then
-		AC_CHECK_FUNC($2,, [
+		proto_check='true'
+		ifelse($5,, [
+			AC_CHECK_FUNC($2,, [
+				proto_check='false'
+			])
+		], [
+			AC_LANG_PUSH(C)
+			AC_MSG_CHECKING([for $3 protocol support])
+			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([
+#include <openssl/ssl.h>
+#include <openssl/opensslv.h>
+#if (SSLEAY_VERSION_NUMBER >= 0x0907000L)
+# include <openssl/conf.h>
+#endif
+			], [
+int x = $5;
+			])], [
+				AC_MSG_RESULT([yes])
+			], [
+				AC_MSG_RESULT([no])
+
+				proto_check='false'
+			])
+			AC_LANG_POP([C])
+		])
+
+		if test "$proto_check" = 'false'; then
 			if test "[$]$1" = "force"; then
 				AC_MSG_ERROR([Unable to enable $3])
 			fi
 
 			$1='false'
-		])
+		fi
 	fi
 
 	if test "[$]$1" = "false"; then
 		AC_DEFINE($4, [1], [Define this to disable $3 in OpenSSL support])
 	fi
@@ -153,19 +180,17 @@
 		AC_MSG_RESULT([no])
 		AC_MSG_ERROR([Unable to compile a basic program using OpenSSL])
 	])
 	AC_LANG_POP([C])
 
+	AC_CHECK_FUNCS([TLS_method])
 	TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_ssl2], [SSLv2_method], [sslv2], [NO_SSL2])
 	TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_ssl3], [SSLv3_method], [sslv3], [NO_SSL3])
 	TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_0], [TLSv1_method], [tlsv1.0], [NO_TLS1])
 	TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_1], [TLSv1_1_method], [tlsv1.1], [NO_TLS1_1])
 	TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_2], [TLSv1_2_method], [tlsv1.2], [NO_TLS1_2])
-
-	dnl XXX:TODO: Note that OpenSSL 1.1.1 does not export this, still need to figure out how to
-	dnl talk only TLSv1.3
-	TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_3], [TLSv1_3_method], [tlsv1.3], [NO_TLS1_3])
+	TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_3], [], [tlsv1.3], [NO_TLS1_3], [SSL_OP_NO_TLSv1_3])
 
 	AC_CACHE_VAL([tcltls_cv_func_tlsext_hostname], [
 		AC_LANG_PUSH(C)
 		AC_MSG_CHECKING([for SSL_set_tlsext_host_name])
 		AC_LINK_IFELSE([AC_LANG_PROGRAM([

Index: tls.c
==================================================================
--- tls.c
+++ tls.c
@@ -59,11 +59,11 @@
 			Tcl_Interp *interp, int objc, Tcl_Obj *CONST objv[]);
 
 static int	UnimportObjCmd(ClientData clientData,
 			Tcl_Interp *interp, int objc, Tcl_Obj *CONST objv[]);
 
-static SSL_CTX *CTX_Init(State *statePtr, int proto, char *key,
+static SSL_CTX *CTX_Init(State *statePtr, int isServer, int proto, char *key,
 			char *cert, char *CAdir, char *CAfile, char *ciphers,
 			char *DHparams);
 
 static int	TlsLibInit(int uninitialize);
 
@@ -70,10 +70,11 @@
 #define TLS_PROTO_SSL2		0x01
 #define TLS_PROTO_SSL3		0x02
 #define TLS_PROTO_TLS1		0x04
 #define TLS_PROTO_TLS1_1	0x08
 #define TLS_PROTO_TLS1_2	0x10
+#define TLS_PROTO_TLS1_3	0x20
 #define ENABLED(flag, mask)	(((flag) & (mask)) == (mask))
 
 /*
  * Static data structures
  */
@@ -563,11 +564,13 @@
     case TLS_TLS1_3:
 #if defined(NO_TLS1_3)
 		Tcl_AppendResult(interp, "protocol not supported", NULL);
 		return TCL_ERROR;
 #else
-		ctx = SSL_CTX_new(TLSv1_3_method()); break;
+		ctx = SSL_CTX_new(TLS_method()); break;
+                SSL_CTX_set_min_proto_version (ctx, TLS1_3_VERSION);
+                SSL_CTX_set_max_proto_version (ctx, TLS1_3_VERSION);
 #endif
     default:
 		break;
     }
     if (ctx == NULL) {
@@ -824,10 +827,11 @@
     proto |= (ssl2 ? TLS_PROTO_SSL2 : 0);
     proto |= (ssl3 ? TLS_PROTO_SSL3 : 0);
     proto |= (tls1 ? TLS_PROTO_TLS1 : 0);
     proto |= (tls1_1 ? TLS_PROTO_TLS1_1 : 0);
     proto |= (tls1_2 ? TLS_PROTO_TLS1_2 : 0);
+    proto |= (tls1_3 ? TLS_PROTO_TLS1_3 : 0);
 
     /* reset to NULL if blank string provided */
     if (cert && !*cert)		cert	 = NULL;
     if (key && !*key)		key	 = NULL;
     if (ciphers && !*ciphers)	ciphers	 = NULL;
@@ -881,11 +885,11 @@
 	    Tls_Free((char *) statePtr);
 	    return TCL_ERROR;
 	}
 	ctx = ((State *)Tcl_GetChannelInstanceData(chan))->ctx;
     } else {
-	if ((ctx = CTX_Init(statePtr, proto, key, cert, CAdir, CAfile, ciphers,
+	if ((ctx = CTX_Init(statePtr, server, proto, key, cert, CAdir, CAfile, ciphers,
 		DHparams)) == (SSL_CTX*)0) {
 	    Tls_Free((char *) statePtr);
 	    return TCL_ERROR;
 	}
     }
@@ -1050,12 +1054,13 @@
  *
  *-------------------------------------------------------------------
  */
 
 static SSL_CTX *
-CTX_Init(statePtr, proto, key, cert, CAdir, CAfile, ciphers, DHparams)
+CTX_Init(statePtr, isServer, proto, key, cert, CAdir, CAfile, ciphers, DHparams)
     State *statePtr;
+    int isServer;
     int proto;
     char *key;
     char *cert;
     char *CAdir;
     char *CAfile;
@@ -1105,10 +1110,16 @@
     if (ENABLED(proto, TLS_PROTO_TLS1_2)) {
 	Tcl_AppendResult(interp, "protocol not supported", NULL);
 	return (SSL_CTX *)0;
     }
 #endif
+#if defined(NO_TLS1_3)
+    if (ENABLED(proto, TLS_PROTO_TLS1_3)) {
+	Tcl_AppendResult(interp, "protocol not supported", NULL);
+	return (SSL_CTX *)0;
+    }
+#endif
 
     switch (proto) {
 #if !defined(NO_SSL2)
     case TLS_PROTO_SSL2:
 	method = SSLv2_method ();
@@ -1131,13 +1142,27 @@
 #endif
 #if !defined(NO_TLS1_2)
     case TLS_PROTO_TLS1_2:
 	method = TLSv1_2_method ();
 	break;
+#endif
+#if !defined(NO_TLS1_3)
+    case TLS_PROTO_TLS1_3:
+        /*
+         * The version range is constrained below,
+         * after the context is created.  Use the
+         * generic method here.
+         */
+	method = TLS_method ();
+	break;
 #endif
     default:
+#ifdef HAVE_TLS_METHOD
+        method = TLS_method ();
+#else
         method = SSLv23_method ();
+#endif
 #if !defined(NO_SSL2)
 	off |= (ENABLED(proto, TLS_PROTO_SSL2)   ? 0 : SSL_OP_NO_SSLv2);
 #endif
 #if !defined(NO_SSL3)
 	off |= (ENABLED(proto, TLS_PROTO_SSL3)   ? 0 : SSL_OP_NO_SSLv3);
@@ -1149,14 +1174,28 @@
 	off |= (ENABLED(proto, TLS_PROTO_TLS1_1) ? 0 : SSL_OP_NO_TLSv1_1);
 #endif
 #if !defined(NO_TLS1_2)
 	off |= (ENABLED(proto, TLS_PROTO_TLS1_2) ? 0 : SSL_OP_NO_TLSv1_2);
 #endif
+#if !defined(NO_TLS1_3)
+	off |= (ENABLED(proto, TLS_PROTO_TLS1_3) ? 0 : SSL_OP_NO_TLSv1_3);
+#endif
 	break;
     }
     
     ctx = SSL_CTX_new (method);
+
+    if (!ctx) {
+        return(NULL);
+    }
+
+#if !defined(NO_TLS1_3)
+    if (proto == TLS_PROTO_TLS1_3) {
+        SSL_CTX_set_min_proto_version (ctx, TLS1_3_VERSION);
+        SSL_CTX_set_max_proto_version (ctx, TLS1_3_VERSION);
+    }
+#endif
     
     SSL_CTX_set_app_data( ctx, (VOID*)interp);	/* remember the interpreter */
     SSL_CTX_set_options( ctx, SSL_OP_ALL);	/* all SSL bug workarounds */
     SSL_CTX_set_options( ctx, off);	/* all SSL bug workarounds */
     SSL_CTX_sess_set_cache_size( ctx, 128);