diff --git a/include/ldap.h b/include/ldap.h
index ee223eff47..8f45144e11 100644
--- a/include/ldap.h
+++ b/include/ldap.h
@@ -179,6 +179,7 @@ LDAP_BEGIN_DECL
 #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_0		((3 << 8) + 1)
 #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1		((3 << 8) + 2)
 #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2		((3 << 8) + 3)
+#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_3		((3 << 8) + 4)
 
 #define LDAP_OPT_X_SASL_CBINDING_NONE		0
 #define LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE	1
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index 8eee6abcbd..f4d5401e3a 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -292,6 +292,13 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 #ifdef SSL_OP_NO_TLSv1
 #ifdef SSL_OP_NO_TLSv1_1
 #ifdef SSL_OP_NO_TLSv1_2
+#ifdef SSL_OP_NO_TLSv1_3
+	if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_TLS1_3)
+		SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
+			SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 |
+			SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3 );
+	else
+#endif
 	if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_TLS1_2)
 		SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
 			SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 |