Index: aclocal/tcltls_openssl.m4
==================================================================
--- aclocal/tcltls_openssl.m4
+++ aclocal/tcltls_openssl.m4
@@ -159,10 +159,14 @@
 	TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_ssl3], [SSLv3_method], [sslv3], [NO_SSL3])
 	TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_0], [TLSv1_method], [tlsv1.0], [NO_TLS1])
 	TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_1], [TLSv1_1_method], [tlsv1.1], [NO_TLS1_1])
 	TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_2], [TLSv1_2_method], [tlsv1.2], [NO_TLS1_2])
 
+	dnl XXX:TODO: Note that OpenSSL 1.1.1 does not export this, still need to figure out how to
+	dnl talk only TLSv1.3
+	TCLTLS_SSL_OPENSSL_CHECK_PROTO_VER([tcltls_ssl_tls1_3], [TLSv1_3_method], [tlsv1.3], [NO_TLS1_3])
+
 	AC_CACHE_VAL([tcltls_cv_func_tlsext_hostname], [
 		AC_LANG_PUSH(C)
 		AC_MSG_CHECKING([for SSL_set_tlsext_host_name])
 		AC_LINK_IFELSE([AC_LANG_PROGRAM([
 #include <openssl/ssl.h>

Index: configure.ac
==================================================================
--- configure.ac
+++ configure.ac
@@ -108,19 +108,30 @@
 	else
 		tcltls_ssl_tls1_1='false'
 	fi
 ])
 
-dnl ## TLSv1.1: Enabled by default
+dnl ## TLSv1.2: Enabled by default
 tcltls_ssl_tls1_2='true'
 AC_ARG_ENABLE([tlsv1.2], AS_HELP_STRING([--disable-tlsv1.2], [disable TLSv1.2 protocol]), [
 	if test "$enableval" = "yes"; then
 		tcltls_ssl_tls1_2='force'
 	else
 		tcltls_ssl_tls1_2='false'
 	fi
 ])
+
+dnl ## TLSv1.3: Enabled by default
+tcltls_ssl_tls1_3='true'
+AC_ARG_ENABLE([tlsv1.3], AS_HELP_STRING([--disable-tlsv1.3], [disable TLSv1.3 protocol]), [
+	if test "$enableval" = "yes"; then
+		tcltls_ssl_tls1_3='force'
+	else
+		tcltls_ssl_tls1_3='false'
+	fi
+])
+
 
 dnl Enable support for a debugging build
 tcltls_debug='false'
 AC_ARG_ENABLE([debug], AS_HELP_STRING([--enable-debug], [enable debugging parameters]), [
 	if test "$enableval" = "yes"; then

Index: tls.c
==================================================================
--- tls.c
+++ tls.c
@@ -496,14 +496,14 @@
     Tcl_Interp *interp;
     int objc;
     Tcl_Obj	*CONST objv[];
 {
     static CONST84 char *protocols[] = {
-	"ssl2",	"ssl3",	"tls1",	"tls1.1", "tls1.2", NULL
+	"ssl2",	"ssl3",	"tls1",	"tls1.1", "tls1.2", "tls1.3", NULL
     };
     enum protocol {
-	TLS_SSL2, TLS_SSL3, TLS_TLS1, TLS_TLS1_1, TLS_TLS1_2, TLS_NONE
+	TLS_SSL2, TLS_SSL3, TLS_TLS1, TLS_TLS1_1, TLS_TLS1_2, TLS_TLS1_3, TLS_NONE
     };
     Tcl_Obj *objPtr;
     SSL_CTX *ctx = NULL;
     SSL *ssl = NULL;
     STACK_OF(SSL_CIPHER) *sk;
@@ -558,10 +558,17 @@
 		Tcl_AppendResult(interp, "protocol not supported", NULL);
 		return TCL_ERROR;
 #else
 		ctx = SSL_CTX_new(TLSv1_2_method()); break;
 #endif
+    case TLS_TLS1_3:
+#if defined(NO_TLS1_3)
+		Tcl_AppendResult(interp, "protocol not supported", NULL);
+		return TCL_ERROR;
+#else
+		ctx = SSL_CTX_new(TLSv1_3_method()); break;
+#endif
     default:
 		break;
     }
     if (ctx == NULL) {
 	Tcl_AppendResult(interp, REASON(), (char *) NULL);
@@ -735,11 +742,11 @@
     char *model		= NULL;
 #ifndef OPENSSL_NO_TLSEXT
     char *servername	= NULL;	/* hostname for Server Name Indication */
 #endif
     int ssl2 = 0, ssl3 = 0;
-    int tls1 = 1, tls1_1 = 1, tls1_2 = 1;
+    int tls1 = 1, tls1_1 = 1, tls1_2 = 1, tls1_3 = 1;
     int proto = 0;
     int verify = 0, require = 0, request = 1;
 
     dprintf("Called");
 
@@ -755,10 +762,13 @@
 #if defined(NO_TLS1_1)
     tls1_1 = 0;
 #endif
 #if defined(NO_TLS1_2)
     tls1_2 = 0;
+#endif
+#if defined(NO_TLS1_3)
+    tls1_3 = 0;
 #endif
 
     if (objc < 2) {
 	Tcl_WrongNumArgs(interp, 1, objv, "channel ?options?");
 	return TCL_ERROR;
@@ -799,12 +809,13 @@
 	OPTBOOL( "-ssl2", ssl2);
 	OPTBOOL( "-ssl3", ssl3);
 	OPTBOOL( "-tls1", tls1);
 	OPTBOOL( "-tls1.1", tls1_1);
 	OPTBOOL( "-tls1.2", tls1_2);
+	OPTBOOL( "-tls1.3", tls1_3);
 
-	OPTBAD( "option", "-cadir, -cafile, -certfile, -cipher, -command, -dhparams, -keyfile, -model, -password, -require, -request, -server, -servername, -ssl2, -ssl3, -tls1, -tls1.1 or -tls1.2");
+	OPTBAD( "option", "-cadir, -cafile, -certfile, -cipher, -command, -dhparams, -keyfile, -model, -password, -require, -request, -server, -servername, -ssl2, -ssl3, -tls1, -tls1.1, -tls1.2, or tls1.3");
 
 	return TCL_ERROR;
     }
     if (request)	    verify |= SSL_VERIFY_CLIENT_ONCE | SSL_VERIFY_PEER;
     if (request && require) verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;

Index: tls.htm
==================================================================
--- tls.htm
+++ tls.htm
@@ -219,10 +219,12 @@
         <dd>Enable use of TLS v1. (<strong>default</strong>: <em>true</em>)</dd>
         <dt>-<strong>tls1.1</strong> <em>bool</em></dt>
         <dd>Enable use of TLS v1.1 (<strong>default</strong>: <em>true</em>)</dd>
         <dt>-<strong>tls1.2</strong> <em>bool</em></dt>
         <dd>Enable use of TLS v1.2 (<strong>default</strong>: <em>true</em>)</dd>
+        <dt>-<strong>tls1.3</strong> <em>bool</em></dt>
+        <dd>Enable use of TLS v1.3 (<strong>default</strong>: <em>true</em>)</dd>
     </dl>
 </blockquote>
 
 <dl>
     <dt><a name="tls::unimport"><b>tls::unimport </b><i>channel</i></a></dt>

Index: tls.tcl
==================================================================
--- tls.tcl
+++ tls.tcl
@@ -47,10 +47,11 @@
         {* -ssl2 iopts 1}
         {* -ssl3 iopts 1}
         {* -tls1 iopts 1}
         {* -tls1.1 iopts 1}
         {* -tls1.2 iopts 1}
+        {* -tls1.3 iopts 1}
     }
 
     # tls::socket and tls::init options as a humane readable string
     variable socketOptionsNoServer
     variable socketOptionsServer