diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 517a063f77..8bc8fd0bc2 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -677,6 +677,7 @@ typedef enum {
     MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED,
     MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO,
     MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO,
+    MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO,
     MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST,
     MBEDTLS_SSL_HANDSHAKE_OVER,
     MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET,
diff --git a/library/ssl_client.c b/library/ssl_client.c
index 7acb725a1c..62af0f99f0 100644
--- a/library/ssl_client.c
+++ b/library/ssl_client.c
@@ -963,6 +963,18 @@ int mbedtls_ssl_write_client_hello(mbedtls_ssl_context *ssl)
                                                               buf_len,
                                                               msg_len));
 
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+        if ((ssl->handshake->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_3) &&
+            (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3)) {
+#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
+            mbedtls_ssl_handshake_set_state(
+                ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO);
+#else
+            mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);
+#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
+        } else
+#endif
+        mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
         mbedtls_ssl_tls13_finalize_write_client_hello(ssl);
 #endif
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 252c217acb..57843a520e 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -1221,9 +1221,7 @@ int mbedtls_ssl_tls13_finalize_write_client_hello(mbedtls_ssl_context *ssl)
     const unsigned char *psk;
     size_t psk_len;
     const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
-#endif
-    mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);
-#if defined(MBEDTLS_SSL_EARLY_DATA)
+
     if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) {
         MBEDTLS_SSL_DEBUG_MSG(
             1, ("Set hs psk for early data when writing the first psk"));
@@ -1265,10 +1263,6 @@ int mbedtls_ssl_tls13_finalize_write_client_hello(mbedtls_ssl_context *ssl)
             return ret;
         }
 
-        MBEDTLS_SSL_DEBUG_MSG(
-            1, ("Switch to early data keys for outbound traffic"));
-        mbedtls_ssl_set_outbound_transform(
-            ssl, ssl->handshake->transform_earlydata);
     }
 #endif /* MBEDTLS_SSL_EARLY_DATA */
     return 0;
@@ -2959,6 +2953,17 @@ int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl)
                 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
             }
             break;
+        case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO:
+            ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
+            if (ret == 0) {
+                mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO);
+
+                MBEDTLS_SSL_DEBUG_MSG(
+                    1, ("Switch to early data keys for outbound traffic"));
+                mbedtls_ssl_set_outbound_transform(
+                    ssl, ssl->handshake->transform_earlydata);
+            }
+            break;
 #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
 
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)