diff --git a/ssl/s3_both.c b/ssl/s3_both.c
index 324e9f98..d3f9421b 100644
--- a/ssl/s3_both.c
+++ b/ssl/s3_both.c
@@ -496,7 +496,7 @@ size_t ssl_max_handshake_message_len(const SSL *ssl) {
   if (ssl->server) {
     /* The largest acceptable post-handshake message for a server is a
      * KeyUpdate. We will never initiate post-handshake auth. */
-    return 0;
+    return 1;
   }
 
   /* Clients must accept NewSessionTicket and CertificateRequest, so allow the
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 336aa31f..d6e984a0 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -2290,7 +2290,16 @@ func addBasicTests() {
 			expectedError: ":WRONG_VERSION_NUMBER:",
 		},
 		{
-			name: "KeyUpdate",
+			name: "KeyUpdate-Client",
+			config: Config{
+				MaxVersion: VersionTLS13,
+			},
+			sendKeyUpdates:   1,
+			keyUpdateRequest: keyUpdateNotRequested,
+		},
+		{
+			testType: serverTest,
+			name:     "KeyUpdate-Server",
 			config: Config{
 				MaxVersion: VersionTLS13,
 			},