diff --git a/ssl/ssl_cipher.c b/ssl/ssl_cipher.c
index 3c4f3253..957f032c 100644
--- a/ssl/ssl_cipher.c
+++ b/ssl/ssl_cipher.c
@@ -1730,7 +1730,9 @@ uint16_t SSL_CIPHER_get_min_version(const SSL_CIPHER *cipher) {
 uint16_t SSL_CIPHER_get_max_version(const SSL_CIPHER *cipher) {
   if (cipher->algorithm_mac == SSL_AEAD &&
       (cipher->algorithm_enc & SSL_CHACHA20POLY1305_OLD) == 0 &&
-      (cipher->algorithm_mkey & SSL_kECDHE) != 0) {
+      (cipher->algorithm_mkey & SSL_kECDHE) != 0 &&
+      /* TODO(davidben,svaldez): Support PSK-based ciphers in TLS 1.3. */
+      (cipher->algorithm_auth & SSL_aCERT) != 0) {
     return TLS1_3_VERSION;
   }
   return TLS1_2_VERSION;
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 45dc7cba..4f9861f3 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -1016,7 +1016,24 @@ func isTLS12Only(suiteName string) bool {
 }
 
 func isTLS13Suite(suiteName string) bool {
-	return (hasComponent(suiteName, "GCM") || hasComponent(suiteName, "POLY1305")) && hasComponent(suiteName, "ECDHE") && !hasComponent(suiteName, "OLD")
+	// Only AEADs.
+	if !hasComponent(suiteName, "GCM") && !hasComponent(suiteName, "POLY1305") {
+		return false
+	}
+	// No old CHACHA20_POLY1305.
+	if hasComponent(suiteName, "CHACHA20-POLY1305-OLD") {
+		return false
+	}
+	// Must have ECDHE.
+	// TODO(davidben,svaldez): Add pure PSK support.
+	if !hasComponent(suiteName, "ECDHE") {
+		return false
+	}
+	// TODO(davidben,svaldez): Add PSK support.
+	if hasComponent(suiteName, "PSK") {
+		return false
+	}
+	return true
 }
 
 func isDTLSCipher(suiteName string) bool {
@@ -2150,7 +2167,7 @@ func addCipherSuiteTests() {
 					shouldClientFail = true
 					shouldServerFail = true
 				}
-				if !isTLS13Suite(suite.name) && ver.version == VersionTLS13 {
+				if !isTLS13Suite(suite.name) && ver.version >= VersionTLS13 {
 					shouldClientFail = true
 					shouldServerFail = true
 				}