diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index fc5ceebf04..84b6b8096b 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -55,24 +55,29 @@
  */
 static int ssl_tls13_parse_key_exchange_modes_ext( mbedtls_ssl_context *ssl,
                                                    const unsigned char *buf,
-                                                   const unsigned char *end)
+                                                   const unsigned char *end )
 {
+    const unsigned char *p = buf;
     size_t ke_modes_len;
     int ke_modes = 0;
 
     /* Read PSK mode list length (1 Byte) */
-    MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end, 1 );
-    ke_modes_len = *buf++;
+    MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
+    ke_modes_len = *p++;
     /* Currently, there are only two PSK modes, so even without looking
      * at the content, something's wrong if the list has more than 2 items. */
     if( ke_modes_len > 2 )
+    {
+        MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+                                      MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
         return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
+    }
 
-    MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end, ke_modes_len );
+    MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, ke_modes_len );
 
     while( ke_modes_len-- != 0 )
     {
-        switch( *buf++ )
+        switch( *p++ )
         {
         case MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE:
             ke_modes |= MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
@@ -83,6 +88,8 @@ static int ssl_tls13_parse_key_exchange_modes_ext( mbedtls_ssl_context *ssl,
             MBEDTLS_SSL_DEBUG_MSG( 3, ( "Found PSK_EPHEMERAL KEX MODE" ) );
             break;
         default:
+            MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+                                          MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
             return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
         }
     }
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 10aaa4a359..979ae7a621 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -878,6 +878,8 @@ wait_client_done() {
     CLI_EXIT=$?
 
     kill $DOG_PID >/dev/null 2>&1
+    # For ubuntu 22.04, `Terminated` message is outputed from `wait` command.
+    # to eliminate it from stdout, redirect stdout/stderr to CLI_OUT
     wait $DOG_PID >> $CLI_OUT 2>&1
 
     echo "EXIT: $CLI_EXIT" >> $CLI_OUT
@@ -2309,15 +2311,6 @@ run_test    "TLS 1.3: psk_key_exchange_modes: basic check, G->m" \
             -s "Found PSK_EPHEMERAL KEX MODE" \
             -s "Found PSK KEX MODE"
 
-requires_openssl_tls1_3
-requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
-requires_config_enabled MBEDTLS_SSL_SRV_C
-requires_config_enabled MBEDTLS_DEBUG_C
-run_test    "TLS 1.3: psk_key_exchange_modes: basic check, O->G" \
-            "$G_NEXT_SRV -d 50 --pskpasswd data_files/passwd.psk --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3" \
-            "$O_NEXT_CLI -tls1_3 -psk 6162636465666768696a6b6c6d6e6f70" \
-            0
-
 # Tests for datagram packing
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
 run_test    "DTLS: multiple records in same datagram, client and server" \