diff --git a/samples/crypto/psa_tls/overlays/tls_13.conf b/samples/crypto/psa_tls/overlays/tls_13.conf
new file mode 100644
index 000000000000..e65076b1ee05
--- /dev/null
+++ b/samples/crypto/psa_tls/overlays/tls_13.conf
@@ -0,0 +1,13 @@
+#
+# Copyright (c) 2024 Nordic Semiconductor ASA
+#
+# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
+#
+CONFIG_MBEDTLS_TLS_VERSION_1_3=y
+
+CONFIG_MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE=y
+CONFIG_MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED=y
+CONFIG_MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED=y
+
+CONFIG_PSA_WANT_ALG_HKDF_EXTRACT=y
+CONFIG_PSA_WANT_ALG_HKDF_EXPAND=y
diff --git a/samples/crypto/psa_tls/sample.yaml b/samples/crypto/psa_tls/sample.yaml
index 75104b36a508..6b703e81cf33 100644
--- a/samples/crypto/psa_tls/sample.yaml
+++ b/samples/crypto/psa_tls/sample.yaml
@@ -81,6 +81,43 @@ tests:
       - nrf9151dk/nrf9151
       - nrf9151dk/nrf9151/ns
     tags: ci_build cc3xx_oberon dtls sysbuild ci_samples_crypto
+  sample.psa_tls.tls_1_3_server.ecdsa.cc3xx_oberon:
+    sysbuild: true
+    build_only: true
+    extra_args: >
+      OVERLAY_CONFIG="overlays/server.conf;overlays/ecdsa.conf;overlays/cc3xx-oberon-psa.conf;overlays/tls_13.conf"
+    platform_allow: >
+      nrf5340dk/nrf5340/cpuapp nrf9160dk/nrf9160 nrf5340dk/nrf5340/cpuapp/ns
+      nrf9160dk/nrf9160/ns nrf9161dk/nrf9161 nrf9161dk/nrf9161/ns nrf9151dk/nrf9151
+      nrf9151dk/nrf9151/ns
+    integration_platforms:
+      - nrf5340dk/nrf5340/cpuapp
+      - nrf5340dk/nrf5340/cpuapp/ns
+      - nrf9160dk/nrf9160
+      - nrf9160dk/nrf9160/ns
+      - nrf9161dk/nrf9161
+      - nrf9161dk/nrf9161/ns
+      - nrf9151dk/nrf9151
+      - nrf9151dk/nrf9151/ns
+    tags: ci_build cc3xx_oberon sysbuild ci_samples_crypto
+  sample.psa_tls.tls_1_3_client.ecdsa.cc3xx_oberon:
+    sysbuild: true
+    build_only: true
+    extra_args: >
+      OVERLAY_CONFIG="overlays/client.conf;overlays/ecdsa.conf;overlays/cc3xx-oberon-psa.conf;overlays/tls_13.conf"
+    platform_allow: >
+      nrf5340dk/nrf5340/cpuapp nrf9160dk/nrf9160 nrf5340dk/nrf5340/cpuapp/ns nrf9160dk/nrf9160/ns
+      nrf9161dk/nrf9161 nrf9161dk/nrf9161/ns nrf9151dk/nrf9151 nrf9151dk/nrf9151/ns
+    integration_platforms:
+      - nrf5340dk/nrf5340/cpuapp
+      - nrf5340dk/nrf5340/cpuapp/ns
+      - nrf9160dk/nrf9160
+      - nrf9160dk/nrf9160/ns
+      - nrf9161dk/nrf9161
+      - nrf9161dk/nrf9161/ns
+      - nrf9151dk/nrf9151
+      - nrf9151dk/nrf9151/ns
+    tags: ci_build cc3xx_oberon sysbuild ci_samples_crypto
   ################################################################################
   ## PSA APIs with Oberon
   ################################################################################
@@ -108,6 +145,30 @@ tests:
       - nrf54l15dk/nrf54l15/cpuapp
       - nrf54l15pdk/nrf54l15/cpuapp
     tags: ci_build oberon sysbuild ci_samples_crypto
+  sample.psa_tls.1_3_server.ecdsa.oberon:
+    sysbuild: true
+    build_only: true
+    extra_args: >
+      OVERLAY_CONFIG="overlays/server.conf;overlays/ecdsa.conf;overlays/oberon-psa.conf;overlays/tls_13.conf"
+    platform_allow: >
+      nrf54l15dk/nrf54l15/cpuapp
+      nrf54l15pdk/nrf54l15/cpuapp
+    integration_platforms:
+      - nrf54l15dk/nrf54l15/cpuapp
+      - nrf54l15pdk/nrf54l15/cpuapp
+    tags: ci_build oberon sysbuild ci_samples_crypto
+  sample.psa_tls.1_3_client.ecdsa.oberon:
+    sysbuild: true
+    build_only: true
+    extra_args: >
+      OVERLAY_CONFIG="overlays/client.conf;overlays/ecdsa.conf;overlays/oberon-psa.conf;overlays/tls_13.conf"
+    platform_allow: >
+      nrf54l15dk/nrf54l15/cpuapp
+      nrf54l15pdk/nrf54l15/cpuapp
+    integration_platforms:
+      - nrf54l15dk/nrf54l15/cpuapp
+      - nrf54l15pdk/nrf54l15/cpuapp
+    tags: ci_build oberon sysbuild ci_samples_crypto
   ################################################################################
   ## PSA APIs with Cracen
   ################################################################################
@@ -137,6 +198,32 @@ tests:
       - nrf54l15pdk/nrf54l15/cpuapp
       - nrf54l15dk/nrf54l15/cpuapp/ns
     tags: ci_build cracen sysbuild ci_samples_crypto
+  sample.psa_tls.1_3_server.ecdsa.cracen:
+    sysbuild: true
+    build_only: true
+    extra_args: >
+      OVERLAY_CONFIG="overlays/server.conf;overlays/ecdsa.conf;overlays/cracen-psa.conf;overlays/tls_13.conf"
+    platform_allow: >
+      nrf54l15dk/nrf54l15/cpuapp nrf54l15pdk/nrf54l15/cpuapp
+      nrf54l15dk/nrf54l15/cpuapp/ns
+    integration_platforms:
+      - nrf54l15dk/nrf54l15/cpuapp
+      - nrf54l15pdk/nrf54l15/cpuapp
+      - nrf54l15dk/nrf54l15/cpuapp/ns
+    tags: ci_build cracen sysbuild ci_samples_crypto
+  sample.psa_tls.1_3_client.ecdsa.cracen:
+    sysbuild: true
+    build_only: true
+    extra_args: >
+      OVERLAY_CONFIG="overlays/client.conf;overlays/ecdsa.conf;overlays/cracen-psa.conf;overlays/tls_13.conf"
+    platform_allow: >
+      nrf54l15dk/nrf54l15/cpuapp nrf54l15pdk/nrf54l15/cpuapp
+      nrf54l15dk/nrf54l15/cpuapp/ns
+    integration_platforms:
+      - nrf54l15dk/nrf54l15/cpuapp
+      - nrf54l15pdk/nrf54l15/cpuapp
+      - nrf54l15dk/nrf54l15/cpuapp/ns
+    tags: ci_build cracen sysbuild ci_samples_crypto
   ################################################################################
   ## Legacy APIs with Cryptocell (secure-only)
   ################################################################################
diff --git a/samples/crypto/psa_tls/src/psa_tls_functions_client.c b/samples/crypto/psa_tls/src/psa_tls_functions_client.c
index fabbc0486718..238d96602a0c 100644
--- a/samples/crypto/psa_tls/src/psa_tls_functions_client.c
+++ b/samples/crypto/psa_tls/src/psa_tls_functions_client.c
@@ -38,7 +38,11 @@ static int setup_tls_client_socket(void)
 		PSK_TAG,
 	};
 
+#if defined(CONFIG_MBEDTLS_TLS_VERSION_1_3)
+	sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TLS_1_3);
+#else
 	sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TLS_1_2);
+#endif
 	if (sock < 0) {
 		LOG_ERR("Failed to create a socket. Err: %d", errno);
 		return -errno;
@@ -54,6 +58,7 @@ static int setup_tls_client_socket(void)
 
 	err = setsockopt(sock, SOL_TLS, TLS_SEC_TAG_LIST, sec_tag_list,
 			 sizeof(sec_tag_list));
+
 	if (err < 0) {
 		LOG_ERR("Failed to set TLS security TAG list. Err: %d", errno);
 		(void)close(sock);
diff --git a/samples/crypto/psa_tls/src/psa_tls_functions_server.c b/samples/crypto/psa_tls/src/psa_tls_functions_server.c
index 50be65aa11c9..bd91229517c1 100644
--- a/samples/crypto/psa_tls/src/psa_tls_functions_server.c
+++ b/samples/crypto/psa_tls/src/psa_tls_functions_server.c
@@ -41,7 +41,11 @@ static int setup_tls_server_socket(void)
 	memset(&my_addr, 0, sizeof(my_addr));
 	my_addr.sin_family = AF_INET;
 	my_addr.sin_port = htons(SERVER_PORT);
+#if defined(CONFIG_MBEDTLS_TLS_VERSION_1_3)
+	sock = socket(my_addr.sin_family, SOCK_STREAM, IPPROTO_TLS_1_3);
+#else
 	sock = socket(my_addr.sin_family, SOCK_STREAM, IPPROTO_TLS_1_2);
+#endif
 
 	err = setsockopt(sock, SOL_TLS, TLS_SEC_TAG_LIST, sec_tag_list,
 			 sizeof(sec_tag_list));
diff --git a/subsys/nrf_security/Kconfig.tls b/subsys/nrf_security/Kconfig.tls
index 626db6f411da..ecce37dd1afc 100644
--- a/subsys/nrf_security/Kconfig.tls
+++ b/subsys/nrf_security/Kconfig.tls
@@ -116,6 +116,7 @@ config MBEDTLS_SSL_PROTO_TLS1_2
 
 if MBEDTLS_SSL_PROTO_TLS1_2
 
+
 config MBEDTLS_SSL_ENCRYPT_THEN_MAC
 	bool
 	default y
@@ -143,6 +144,9 @@ config MBEDTLS_SSL_COOKIE_C
 
 endif # MBEDTLS_SSL_PROTO_TLS1_2
 
+config MBEDTLS_TLS_VERSION_1_3
+	bool "Support for TLS 1.3"
+
 config MBEDTLS_DEBUG_C
 	bool
 	prompt "Enable the debug functions for TLS."
@@ -256,6 +260,22 @@ config MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
 	  reduces RAM usage.
 	  Corresponds to MBEDTLS_SSL_KEEP_PEER_CERTIFICATE in mbed TLS config file.
 
+config MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+	bool
+	prompt "Enable TLS1.3 middlebox compatibility mode"
+	default n
+	help
+	  As specified in RFC8446, TLS 1.3 offers a compatibility mode to make a TLS
+	  1.3 connection more likely to pass through middle boxes expecting TLS 1.2
+	  traffic
+
+config MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED
+	bool
+	prompt "Allow Handshake with psk"
+	default n
+	help
+	  Allows a handshake to be done with a PSK shared in a previous one.
+
 config MBEDTLS_SSL_RENEGOTIATION
 	bool
 	prompt "SSL - Renegotiation"
@@ -325,6 +345,29 @@ config MBEDTLS_SSL_CIPHERSUITES
 	  Warning: This field has offers no validation checks.
 	  MBEDTLS_SSL_CIPHERSUITES setting in mbed TLS config file.
 
+if MBEDTLS_TLS_VERSION_1_3
+
+config MBEDTLS_SSL_PROTO_TLS1_3
+	bool "Enable TLS version 1.3 protocol"
+	default y
+	help
+	  Enable the TLS 1.3 protocol
+	  Corresponds to MBEDTLS_SSL_PROTO_TLS1_3 in mbed TLS config file
+
+config MBEDTLS_TLS_SESSION_TICKETS
+	bool "Support for RFC 5077 session tickets in TLS 1.3"
+
+config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+	bool "TLS 1.3 PSK key exchange mode"
+
+config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+	bool "TLS 1.3 ephemeral key exchange mode"
+
+config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+	bool "TLS 1.3 PSK ephemeral key exchange mode"
+
+endif # MBEDTLS_TLS_VERSION_1_3
+
 menu "TLS/DTL Cipher Suites"
 
 config MBEDTLS_HAS_CBC_CIPHERSUITE_REQUIREMENTS
diff --git a/subsys/nrf_security/cmake/nrf_config.cmake b/subsys/nrf_security/cmake/nrf_config.cmake
index 3a19409c6ce6..37b01e91068d 100644
--- a/subsys/nrf_security/cmake/nrf_config.cmake
+++ b/subsys/nrf_security/cmake/nrf_config.cmake
@@ -107,6 +107,12 @@ if (NOT MBEDTLS_PSA_CRYPTO_SPM)
   kconfig_check_and_set_base(MBEDTLS_SSL_RENEGOTIATION)
   kconfig_check_and_set_base(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
   kconfig_check_and_set_base(MBEDTLS_SSL_PROTO_TLS1_2)
+  kconfig_check_and_set_base(MBEDTLS_SSL_PROTO_TLS1_3)
+  kconfig_check_and_set_base(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED)
+  kconfig_check_and_set_base(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
+  kconfig_check_and_set_base(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
+  kconfig_check_and_set_base(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
+  kconfig_check_and_set_base(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
   kconfig_check_and_set_base(MBEDTLS_SSL_PROTO_DTLS)
   kconfig_check_and_set_base(MBEDTLS_SSL_ALPN)
   kconfig_check_and_set_base(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
diff --git a/subsys/nrf_security/configs/nrf-config.h.template b/subsys/nrf_security/configs/nrf-config.h.template
index abfff20d3448..4dc912f46204 100644
--- a/subsys/nrf_security/configs/nrf-config.h.template
+++ b/subsys/nrf_security/configs/nrf-config.h.template
@@ -115,6 +115,12 @@
 #cmakedefine MBEDTLS_SSL_RENEGOTIATION
 #cmakedefine MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
 #cmakedefine MBEDTLS_SSL_PROTO_TLS1_2
+#cmakedefine MBEDTLS_SSL_PROTO_TLS1_3
+#cmakedefine MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
+#cmakedefine MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
+#cmakedefine MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+#cmakedefine MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED
+#cmakedefine MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
 #cmakedefine MBEDTLS_SSL_PROTO_DTLS
 #cmakedefine MBEDTLS_SSL_ALPN
 #cmakedefine MBEDTLS_SSL_DTLS_ANTI_REPLAY