diff --git a/ssl/test/runner/handshake_client.go b/ssl/test/runner/handshake_client.go
index 003aaf44..81e6fdb9 100644
--- a/ssl/test/runner/handshake_client.go
+++ b/ssl/test/runner/handshake_client.go
@@ -120,6 +120,14 @@ func (c *Conn) clientHandshake() error {
 			if err != nil {
 				return err
 			}
+
+			if c.config.Bugs.SendCurve != 0 {
+				curveID = c.config.Bugs.SendCurve
+			}
+			if c.config.Bugs.InvalidECDHPoint {
+				publicKey[0] ^= 0xff
+			}
+
 			hello.keyShares = append(hello.keyShares, keyShareEntry{
 				group:       curveID,
 				keyExchange: publicKey,
@@ -601,7 +609,7 @@ func (hs *clientHandshakeState) doTLS13Handshake() error {
 	masterSecret := hs.finishedHash.extractKey(handshakeSecret, zeroSecret)
 	trafficSecret := hs.finishedHash.deriveSecret(masterSecret, applicationTrafficLabel)
 
-	if certReq != nil {
+	if certReq != nil && !c.config.Bugs.SkipClientCertificate {
 		certMsg := &certificateMsg{
 			hasRequestContext: true,
 			requestContext:    certReq.requestContext,
@@ -633,6 +641,9 @@ func (hs *clientHandshakeState) doTLS13Handshake() error {
 				c.sendAlert(alertInternalError)
 				return err
 			}
+			if c.config.Bugs.SendSignatureAlgorithm != 0 {
+				certVerify.signatureAlgorithm = c.config.Bugs.SendSignatureAlgorithm
+			}
 
 			hs.writeClientHash(certVerify.marshal())
 			c.writeRecord(recordTypeHandshake, certVerify.marshal())
diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go
index f6bf0db5..2cdfbee0 100644
--- a/ssl/test/runner/handshake_server.go
+++ b/ssl/test/runner/handshake_server.go
@@ -324,6 +324,10 @@ Curves:
 	}
 
 	hs.hello.cipherSuite = hs.suite.id
+	if c.config.Bugs.SendCipherSuite != 0 {
+		hs.hello.cipherSuite = c.config.Bugs.SendCipherSuite
+	}
+
 	hs.finishedHash = newFinishedHash(c.vers, hs.suite)
 	hs.finishedHash.discardHandshakeBuffer()
 	hs.writeClientHash(hs.clientHello.marshal())
@@ -367,8 +371,17 @@ Curves:
 			return err
 		}
 		hs.hello.hasKeyShare = true
+
+		curveID := selectedKeyShare.group
+		if c.config.Bugs.SendCurve != 0 {
+			curveID = config.Bugs.SendCurve
+		}
+		if c.config.Bugs.InvalidECDHPoint {
+			publicKey[0] ^= 0xff
+		}
+
 		hs.hello.keyShare = keyShareEntry{
-			group:       selectedKeyShare.group,
+			group:       curveID,
 			keyExchange: publicKey,
 		}
 	} else {
@@ -460,6 +473,10 @@ Curves:
 			return err
 		}
 
+		if config.Bugs.SendSignatureAlgorithm != 0 {
+			certVerify.signatureAlgorithm = config.Bugs.SendSignatureAlgorithm
+		}
+
 		hs.writeServerHash(certVerify.marshal())
 		c.writeRecord(recordTypeHandshake, certVerify.marshal())
 	}