diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 141c40a4e..abf33a634 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -809,6 +809,14 @@ struct mbedtls_ssl_handshake_params
             size_t digest_len;
         } finished_in;
 
+#if defined(MBEDTLS_SSL_SRV_C)
+        /* Server, outgoing ClientKeyExchange */
+        struct
+        {
+            uint8_t preparation_done;
+        } encrypted_extensions_out;
+#endif /* MBEDTLS_SSL_SRV_C */
+
     } state_local;
 
     /* End of state-local variables. */
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index d06b9a88e..72ac8ad50 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -22,10 +22,186 @@
 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
 
 #include "mbedtls/debug.h"
+#include "mbedtls/error.h"
+#include "mbedtls/platform.h"
+#include <string.h>
 
 #include "ssl_misc.h"
 #include "ssl_tls13_keys.h"
 #include "ssl_debug_helpers.h"
+#include "ecdh_misc.h"
+#include "ssl_tls13_keys.h"
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+/*
+ * struct {
+ *      ExtensionType extension_type;
+ *      opaque extension_data<0..2^16-1>;
+ *  } Extension;
+ */
+static int ssl_tls13_write_sni_server_ext( mbedtls_ssl_context *ssl,
+                                           unsigned char *buf,
+                                           unsigned char *end,
+                                           size_t *out_len )
+{
+    unsigned char *p = buf;
+    *out_len = 0;
+
+    if( ( ssl->handshake->extensions_present &
+          MBEDTLS_SSL_EXT_SERVERNAME ) == 0 )
+    {
+        return( 0 );
+    }
+
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding server_name extension" ) );
+
+    /* Check if we have enough space:
+     * - ExtensionType      (2 bytes)
+     * - extensions length  (2 bytes)
+     */
+    MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4);
+
+    /* Write extension type */
+    MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SERVERNAME, p, 0 );
+
+    /* Write extension length */
+    MBEDTLS_PUT_UINT16_BE( 0, p, 2 );
+
+    *out_len = 4;
+
+    return( 0 );
+}
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+
+static int ssl_tls13_prepare_encrypted_extensions( mbedtls_ssl_context *ssl )
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_ssl_key_set traffic_keys;
+    mbedtls_ssl_transform *transform_handshake = NULL;
+
+    /* Compute handshake secret */
+    ret = mbedtls_ssl_tls13_key_schedule_stage_handshake( ssl );
+    if( ret != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_key_schedule_stage_handshake", ret );
+        return( ret );
+    }
+
+    /* Derive handshake key material */
+    ret = mbedtls_ssl_tls13_generate_handshake_keys( ssl, &traffic_keys );
+    if( ret != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1,
+                "mbedtls_ssl_tls13_generate_handshake_keys", ret );
+        return( ret );
+    }
+
+    transform_handshake = mbedtls_calloc( 1, sizeof( mbedtls_ssl_transform ) );
+    if( transform_handshake == NULL )
+        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+
+    /* Setup transform from handshake key material */
+    ret = mbedtls_ssl_tls13_populate_transform(
+                               transform_handshake,
+                               ssl->conf->endpoint,
+                               ssl->session_negotiate->ciphersuite,
+                               &traffic_keys,
+                               ssl );
+    if( ret != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_populate_transform", ret );
+        mbedtls_free( transform_handshake );
+        return( ret );
+    }
+
+    ssl->handshake->transform_handshake = transform_handshake;
+    mbedtls_ssl_set_outbound_transform( ssl, ssl->handshake->transform_handshake );
+
+    /*
+     * Switch to our negotiated transform and session parameters for outbound
+     * data.
+     */
+    MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
+    memset( ssl->out_ctr, 0, 8 );
+
+    return( 0 );
+}
+
+/*
+ * struct {
+ *    Extension extensions<0..2 ^ 16 - 1>;
+ * } EncryptedExtensions;
+ *
+ */
+static int ssl_tls13_write_encrypted_extensions( mbedtls_ssl_context *ssl,
+                                                 unsigned char *buf,
+                                                 unsigned char *end,
+                                                 size_t *out_len )
+{
+    unsigned char *p = buf;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    size_t extensions_len = 0;
+    unsigned char *p_extensions_len;
+    size_t length = 0; // length of this extension
+    *out_len = 0;
+
+    /* Skip extension length; first write extensions, then update length */
+    p_extensions_len = p;
+    p += 2;
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    ret = ssl_tls13_write_sni_server_ext( ssl, p, end, &length );
+    if( ret != 0 )
+        return( ret );
+    p += length;
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+
+    *out_len = (size_t)( p - buf );
+
+    /* write extensions length */
+    extensions_len = ( p - p_extensions_len ) - 2;
+    MBEDTLS_PUT_UINT16_BE( extensions_len, p_extensions_len, 0);
+
+    return( 0 );
+}
+
+static int ssl_tls13_process_encrypted_extensions( mbedtls_ssl_context *ssl )
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    unsigned char *buf;
+    size_t buf_len = 0;
+    size_t msg_len = 0;
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write encrypted extension" ) );
+
+    if( ssl->handshake->state_local.encrypted_extensions_out.preparation_done == 0 )
+    {
+        MBEDTLS_SSL_PROC_CHK( ssl_tls13_prepare_encrypted_extensions( ssl ) );
+        ssl->handshake->state_local.encrypted_extensions_out.preparation_done = 1;
+    }
+
+    MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl,
+                       MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, &buf, &buf_len ) );
+
+    MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_encrypted_extensions(
+                              ssl, buf, buf + buf_len, &msg_len ) );
+
+    mbedtls_ssl_add_hs_msg_to_checksum(
+        ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, buf, msg_len );
+
+    /* Update state */
+    mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_REQUEST );
+
+    MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
+                              ssl, buf_len, msg_len ) );
+
+cleanup:
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write encrypted extension" ) );
+    return( ret );
+}
+
 
 #if defined(MBEDTLS_ECP_C)
 #include "mbedtls/ecp.h"
@@ -1089,6 +1265,14 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl )
             ret = ssl_tls13_write_server_hello( ssl );
             break;
 
+        case MBEDTLS_SSL_ENCRYPTED_EXTENSIONS:
+            ret = ssl_tls13_process_encrypted_extensions( ssl );
+            if( ret != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_process_encrypted_extensions", ret );
+            }
+            break;
+
         default:
             MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
             return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );