diff --git a/library/ssl_client.c b/library/ssl_client.c
index 82695f1bc..6d3789d59 100644
--- a/library/ssl_client.c
+++ b/library/ssl_client.c
@@ -518,7 +518,11 @@ static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl,
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_DTLS)
     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
     {
-        unsigned char cookie_len = 0;
+#if !defined(MBEDTLS_SSL_PROTO_TLS1_3)
+        uint8_t cookie_len = 0;
+#else
+        uint16_t cookie_len = 0;
+#endif /* !MBEDTLS_SSL_PROTO_TLS1_3 */
 
         if( handshake->cookie != NULL )
         {
@@ -529,7 +533,7 @@ static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl,
         }
 
         MBEDTLS_SSL_CHK_BUF_PTR( p, end, cookie_len + 1 );
-        *p++ = cookie_len;
+        *p++ = ( unsigned char )cookie_len;
         if( cookie_len > 0 )
         {
             memcpy( p, handshake->cookie, cookie_len );
diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c
index dd55456c9..0444f27b8 100644
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@@ -1137,7 +1137,12 @@ static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
 {
     const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
     uint16_t dtls_legacy_version;
-    unsigned char cookie_len;
+
+#if !defined(MBEDTLS_SSL_PROTO_TLS1_3)
+    uint8_t cookie_len;
+#else
+    uint16_t cookie_len;
+#endif
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse hello verify request" ) );