diff --git a/src/tls.c b/src/tls.c
index 0f81262367..1d6b1c70b5 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -7874,6 +7874,8 @@ static int TLSX_KeyShare_Parse(WOLFSSL* ssl, byte* input, word16 length,
 
         /* Try to use the server's group. */
         ret = TLSX_KeyShare_Use(ssl, group, 0, NULL, NULL);
+        if (ret == 0)
+            ssl->session.namedGroup = ssl->namedGroup = group;
     }
     else {
         /* Not a message type that is allowed to have this extension. */
diff --git a/src/tls13.c b/src/tls13.c
index 4b7b9f9d83..c7fa392d45 100644
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -3320,10 +3320,20 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
         }
     }
 #endif
-
+    
     if (*extMsgType == server_hello) {
+        /* sanity check on PSK / KSE */
+        if (
+    #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
+            ssl->options.pskNegotiated == 0 &&
+    #endif
+            ssl->session.namedGroup == 0) {
+            return EXT_MISSING;
+        }
+
         ssl->keys.encryptionOn = 1;
         ssl->options.serverState = SERVER_HELLO_COMPLETE;
+
     }
     else {
         ssl->options.tls1_3 = 1;