diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 148924ab0d..7db0f6dd40 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -7953,6 +7953,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl,
         return 0;
     }
 
+    /* Verify callback: precedence order is SSL context, else conf struct. */
     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
     void *p_vrfy;
     if (ssl->f_vrfy != NULL) {
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 6ea5e01d47..fb57aa4a75 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -695,6 +695,19 @@ static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
         return 0;
     }
 
+    /* Verify callback: precedence order is SSL context, else conf struct. */
+    int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
+    void *p_vrfy;
+    if (ssl->f_vrfy != NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("Use context-specific verification callback"));
+        f_vrfy = ssl->f_vrfy;
+        p_vrfy = ssl->p_vrfy;
+    } else {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("Use configuration-specific verification callback"));
+        f_vrfy = ssl->conf->f_vrfy;
+        p_vrfy = ssl->conf->p_vrfy;
+    }
+
     /*
      * Main check: verify certificate
      */
@@ -710,7 +723,7 @@ static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
             ssl->conf->cert_profile,
             ssl->hostname,
             &verify_result,
-            ssl->conf->f_vrfy, ssl->conf->p_vrfy);
+            f_vrfy, p_vrfy);
     } else
 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
     {
@@ -737,7 +750,7 @@ static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
             ssl->conf->cert_profile,
             ssl->hostname,
             &verify_result,
-            ssl->conf->f_vrfy, ssl->conf->p_vrfy);
+            f_vrfy, p_vrfy);
     }
 
     if (ret != 0) {
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 5537662486..6b93fda4bf 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -2724,7 +2724,7 @@ run_test    "Single supported algorithm sending: openssl client" \
 # Tests for certificate verification callback
 run_test    "Configuration-specific CRT verification callback" \
             "$P_SRV debug_level=3" \
-            "$P_CLI force_version=tls12 context_crt_cb=0 debug_level=3" \
+            "$P_CLI context_crt_cb=0 debug_level=3" \
             0 \
             -S "error" \
             -c "Verify requested for " \
@@ -2734,7 +2734,7 @@ run_test    "Configuration-specific CRT verification callback" \
 
 run_test    "Context-specific CRT verification callback" \
             "$P_SRV debug_level=3" \
-            "$P_CLI force_version=tls12 context_crt_cb=1 debug_level=3" \
+            "$P_CLI context_crt_cb=1 debug_level=3" \
             0 \
             -S "error" \
             -c "Verify requested for " \