diff --git a/ssl/internal.h b/ssl/internal.h
index e3d04634..14265f94 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -905,6 +905,10 @@ int tls13_handshake(SSL *ssl);
 enum ssl_hs_wait_t tls13_client_handshake(SSL *ssl);
 enum ssl_hs_wait_t tls13_server_handshake(SSL *ssl);
 
+/* tls13_post_handshake processes a post-handshake message. It returns one on
+ * success and zero on failure. */
+int tls13_post_handshake(SSL *ssl);
+
 /* tls13_check_message_type checks if the current message has type |type|. If so
  * it returns one. Otherwise, it sends an alert and returns zero. */
 int tls13_check_message_type(SSL *ssl, int type);
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index c1619504..f06c0ded 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -675,9 +675,7 @@ static int ssl_do_post_handshake(SSL *ssl) {
     return ssl_do_renegotiate(ssl);
   }
 
-  /* TODO(svaldez): Handle TLS 1.3 post-handshake messages. For now,
-   * silently drop them. */
-  return 1;
+  return tls13_post_handshake(ssl);
 }
 
 static int ssl_read_impl(SSL *ssl, void *buf, int num, int peek) {
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 8815f8f4..48d87037 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -5144,10 +5144,6 @@ func addRenegotiationTests() {
 	})
 
 	// Renegotiation is forbidden in TLS 1.3.
-	//
-	// TODO(davidben): This test current asserts that we ignore
-	// HelloRequests, but we actually should hard reject them. Fix this
-	// test once we actually parse post-handshake messages.
 	testCases = append(testCases, testCase{
 		name: "Renegotiate-Client-TLS13",
 		config: Config{
@@ -5159,6 +5155,8 @@ func addRenegotiationTests() {
 		flags: []string{
 			"-renegotiate-freely",
 		},
+		shouldFail:    true,
+		expectedError: ":UNEXPECTED_MESSAGE:",
 	})
 
 	// Stray HelloRequests during the handshake are forbidden in TLS 1.3.
diff --git a/ssl/tls13_both.c b/ssl/tls13_both.c
index 7b276dfa..1f604539 100644
--- a/ssl/tls13_both.c
+++ b/ssl/tls13_both.c
@@ -452,3 +452,18 @@ int tls13_prepare_finished(SSL *ssl) {
 
   return 1;
 }
+
+int tls13_post_handshake(SSL *ssl) {
+  if (ssl->s3->tmp.message_type == SSL3_MT_NEW_SESSION_TICKET &&
+      !ssl->server) {
+    // TODO(svaldez): Handle NewSessionTicket.
+    return 1;
+  }
+
+  // TODO(svaldez): Handle post-handshake authentication.
+  // TODO(svaldez): Handle KeyUpdate.
+
+  ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
+  OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
+  return 0;
+}