diff --git a/samples/crypto/psa_tls/overlays/tls_13.conf b/samples/crypto/psa_tls/overlays/tls_13.conf
new file mode 100644
index 000000000000..e65076b1ee05
--- /dev/null
+++ b/samples/crypto/psa_tls/overlays/tls_13.conf
@@ -0,0 +1,13 @@
+#
+# Copyright (c) 2024 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+CONFIG_MBEDTLS_TLS_VERSION_1_3=y
+
+CONFIG_MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE=y
+CONFIG_MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED=y
+CONFIG_MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED=y
+
+CONFIG_PSA_WANT_ALG_HKDF_EXTRACT=y
+CONFIG_PSA_WANT_ALG_HKDF_EXPAND=y
diff --git a/samples/crypto/psa_tls/sample.yaml b/samples/crypto/psa_tls/sample.yaml
index 75104b36a508..8b98e4c04528 100644
--- a/samples/crypto/psa_tls/sample.yaml
+++ b/samples/crypto/psa_tls/sample.yaml
@@ -81,6 +81,43 @@ tests:
       - nrf9151dk/nrf9151
       - nrf9151dk/nrf9151/ns
     tags: ci_build cc3xx_oberon dtls sysbuild ci_samples_crypto
+  sample.psa_tls.tls_1_3_server.ecdsa.cc3xx_oberon:
+    sysbuild: true
+    build_only: true
+    extra_args: >
+      OVERLAY_CONFIG="overlays/server.conf;overlays/ecdsa.conf;overlays/cc3xx-oberon-psa.conf;overlays/tls_13.conf"
+    platform_allow: >
+      nrf5340dk/nrf5340/cpuapp nrf9160dk/nrf9160 nrf5340dk/nrf5340/cpuapp/ns
+      nrf9160dk/nrf9160/ns nrf9161dk/nrf9161 nrf9161dk/nrf9161/ns nrf9151dk/nrf9151
+      nrf9151dk/nrf9151/ns
+    integration_platforms:
+      - nrf5340dk/nrf5340/cpuapp
+      - nrf5340dk/nrf5340/cpuapp/ns
+      - nrf9160dk/nrf9160
+      - nrf9160dk/nrf9160/ns
+      - nrf9161dk/nrf9161
+      - nrf9161dk/nrf9161/ns
+      - nrf9151dk/nrf9151
+      - nrf9151dk/nrf9151/ns
+    tags: ci_build cc3xx_oberon sysbuild ci_samples_crypto
+  sample.psa_tls.tls_1_3_client.ecdsa.cc3xx_oberon:
+    sysbuild: true
+    build_only: true
+    extra_args: >
+      OVERLAY_CONFIG="overlays/client.conf;overlays/ecdsa.conf;overlays/cc3xx-oberon-psa.conf;overlays/tls_13.conf"
+    platform_allow: >
+      nrf5340dk/nrf5340/cpuapp nrf9160dk/nrf9160 nrf5340dk/nrf5340/cpuapp/ns nrf9160dk/nrf9160/ns
+      nrf9161dk/nrf9161 nrf9161dk/nrf9161/ns nrf9151dk/nrf9151 nrf9151dk/nrf9151/ns
+    integration_platforms:
+      - nrf5340dk/nrf5340/cpuapp
+      - nrf5340dk/nrf5340/cpuapp/ns
+      - nrf9160dk/nrf9160
+      - nrf9160dk/nrf9160/ns
+      - nrf9161dk/nrf9161
+      - nrf9161dk/nrf9161/ns
+      - nrf9151dk/nrf9151
+      - nrf9151dk/nrf9151/ns
+    tags: ci_build cc3xx_oberon sysbuild ci_samples_crypto
   ################################################################################
   ## PSA APIs with Oberon
   ################################################################################
@@ -138,6 +175,35 @@ tests:
       - nrf54l15dk/nrf54l15/cpuapp/ns
     tags: ci_build cracen sysbuild ci_samples_crypto
   ################################################################################
+  ## PSA APIs with Cracen and Oberon
+  ################################################################################
+  sample.psa_tls.1_3_server.ecdsa.cracen_oberon:
+    sysbuild: true
+    build_only: true
+    extra_args: >
+      OVERLAY_CONFIG="overlays/server.conf;overlays/ecdsa.conf;overlays/cracen-oberon-psa.conf;overlays/tls_13.conf"
+    platform_allow: >
+      nrf54l15dk/nrf54l15/cpuapp nrf54l15pdk/nrf54l15/cpuapp
+      nrf54l15dk/nrf54l15/cpuapp/ns
+    integration_platforms:
+      - nrf54l15dk/nrf54l15/cpuapp
+      - nrf54l15pdk/nrf54l15/cpuapp
+      - nrf54l15dk/nrf54l15/cpuapp/ns
+    tags: ci_build cracen_oberon sysbuild ci_samples_crypto
+  sample.psa_tls.1_3_client.ecdsa.cracen_oberon:
+    sysbuild: true
+    build_only: true
+    extra_args: >
+      OVERLAY_CONFIG="overlays/client.conf;overlays/ecdsa.conf;overlays/cracen-oberon-psa.conf;overlays/tls_13.conf"
+    platform_allow: >
+      nrf54l15dk/nrf54l15/cpuapp nrf54l15pdk/nrf54l15/cpuapp
+      nrf54l15dk/nrf54l15/cpuapp/ns
+    integration_platforms:
+      - nrf54l15dk/nrf54l15/cpuapp
+      - nrf54l15pdk/nrf54l15/cpuapp
+      - nrf54l15dk/nrf54l15/cpuapp/ns
+    tags: ci_build cracen_oberon sysbuild ci_samples_crypto
+  ################################################################################
   ## Legacy APIs with Cryptocell (secure-only)
   ################################################################################
   sample.psa_tls.tls_server.rsa.cc3xx_legacy:
diff --git a/samples/crypto/psa_tls/src/psa_tls_functions_client.c b/samples/crypto/psa_tls/src/psa_tls_functions_client.c
index fabbc0486718..bf003656d52f 100644
--- a/samples/crypto/psa_tls/src/psa_tls_functions_client.c
+++ b/samples/crypto/psa_tls/src/psa_tls_functions_client.c
@@ -38,7 +38,11 @@ static int setup_tls_client_socket(void)
 		PSK_TAG,
 	};
 
+#if defined(CONFIG_MBEDTLS_TLS_VERSION_1_3)
+	sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TLS_1_3);
+#else
 	sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TLS_1_2);
+#endif
 	if (sock < 0) {
 		LOG_ERR("Failed to create a socket. Err: %d", errno);
 		return -errno;
diff --git a/samples/crypto/psa_tls/src/psa_tls_functions_server.c b/samples/crypto/psa_tls/src/psa_tls_functions_server.c
index 50be65aa11c9..bd91229517c1 100644
--- a/samples/crypto/psa_tls/src/psa_tls_functions_server.c
+++ b/samples/crypto/psa_tls/src/psa_tls_functions_server.c
@@ -41,7 +41,11 @@ static int setup_tls_server_socket(void)
 	memset(&my_addr, 0, sizeof(my_addr));
 	my_addr.sin_family = AF_INET;
 	my_addr.sin_port = htons(SERVER_PORT);
+#if defined(CONFIG_MBEDTLS_TLS_VERSION_1_3)
+	sock = socket(my_addr.sin_family, SOCK_STREAM, IPPROTO_TLS_1_3);
+#else
 	sock = socket(my_addr.sin_family, SOCK_STREAM, IPPROTO_TLS_1_2);
+#endif
 
 	err = setsockopt(sock, SOL_TLS, TLS_SEC_TAG_LIST, sec_tag_list,
 			 sizeof(sec_tag_list));
diff --git a/subsys/nrf_security/Kconfig.tls b/subsys/nrf_security/Kconfig.tls
index 626db6f411da..2609826925b3 100644
--- a/subsys/nrf_security/Kconfig.tls
+++ b/subsys/nrf_security/Kconfig.tls
@@ -143,6 +143,9 @@ config MBEDTLS_SSL_COOKIE_C
 
 endif # MBEDTLS_SSL_PROTO_TLS1_2
 
+config MBEDTLS_TLS_VERSION_1_3
+	bool "Support for TLS 1.3"
+
 config MBEDTLS_DEBUG_C
 	bool
 	prompt "Enable the debug functions for TLS."
@@ -325,6 +328,31 @@ config MBEDTLS_SSL_CIPHERSUITES
 	  Warning: This field has offers no validation checks.
 	  MBEDTLS_SSL_CIPHERSUITES setting in mbed TLS config file.
 
+if MBEDTLS_TLS_VERSION_1_3
+
+config MBEDTLS_SSL_PROTO_TLS1_3
+	bool
+	default y
+
+config MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+	bool "Enable TLS1.3 middlebox compatibility mode"
+	default y
+	help
+	  As specified in RFC8446, TLS 1.3 offers a compatibility mode to make a TLS
+	  1.3 connection more likely to pass through middle boxes expecting TLS 1.2
+	  traffic
+
+config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+	bool "TLS 1.3 PSK key exchange mode"
+
+config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+	bool "TLS 1.3 ephemeral key exchange mode"
+
+config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+	bool "TLS 1.3 PSK ephemeral key exchange mode"
+
+endif # MBEDTLS_TLS_VERSION_1_3
+
 menu "TLS/DTL Cipher Suites"
 
 config MBEDTLS_HAS_CBC_CIPHERSUITE_REQUIREMENTS
diff --git a/subsys/nrf_security/cmake/nrf_config.cmake b/subsys/nrf_security/cmake/nrf_config.cmake
index 3a19409c6ce6..b274f06b39e2 100644
--- a/subsys/nrf_security/cmake/nrf_config.cmake
+++ b/subsys/nrf_security/cmake/nrf_config.cmake
@@ -107,6 +107,11 @@ if (NOT MBEDTLS_PSA_CRYPTO_SPM)
   kconfig_check_and_set_base(MBEDTLS_SSL_RENEGOTIATION)
   kconfig_check_and_set_base(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
   kconfig_check_and_set_base(MBEDTLS_SSL_PROTO_TLS1_2)
+  kconfig_check_and_set_base(MBEDTLS_SSL_PROTO_TLS1_3)
+  kconfig_check_and_set_base(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED)
+  kconfig_check_and_set_base(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
+  kconfig_check_and_set_base(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
+  kconfig_check_and_set_base(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
   kconfig_check_and_set_base(MBEDTLS_SSL_PROTO_DTLS)
   kconfig_check_and_set_base(MBEDTLS_SSL_ALPN)
   kconfig_check_and_set_base(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
diff --git a/subsys/nrf_security/configs/nrf-config.h.template b/subsys/nrf_security/configs/nrf-config.h.template
index abfff20d3448..7cb289114dab 100644
--- a/subsys/nrf_security/configs/nrf-config.h.template
+++ b/subsys/nrf_security/configs/nrf-config.h.template
@@ -115,6 +115,11 @@
 #cmakedefine MBEDTLS_SSL_RENEGOTIATION
 #cmakedefine MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
 #cmakedefine MBEDTLS_SSL_PROTO_TLS1_2
+#cmakedefine MBEDTLS_SSL_PROTO_TLS1_3
+#cmakedefine MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+#cmakedefine MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+#cmakedefine MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+#cmakedefine MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 #cmakedefine MBEDTLS_SSL_PROTO_DTLS
 #cmakedefine MBEDTLS_SSL_ALPN
 #cmakedefine MBEDTLS_SSL_DTLS_ANTI_REPLAY