diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 5e930ceb..032388c4 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -8966,7 +8966,7 @@ func addTLS13HandshakeTests() {
 		},
 		resumeSession: true,
 		shouldFail:    true,
-		expectedError: ":UNEXPECTED_EXTENSION:",
+		expectedError: ":MISSING_KEY_SHARE:",
 	})
 
 	testCases = append(testCases, testCase{
@@ -8979,7 +8979,7 @@ func addTLS13HandshakeTests() {
 			},
 		},
 		shouldFail:    true,
-		expectedError: ":UNEXPECTED_EXTENSION:",
+		expectedError: ":MISSING_KEY_SHARE:",
 	})
 
 	testCases = append(testCases, testCase{
diff --git a/ssl/tls13_client.c b/ssl/tls13_client.c
index b9c3c689..f106c16b 100644
--- a/ssl/tls13_client.c
+++ b/ssl/tls13_client.c
@@ -214,13 +214,6 @@ static enum ssl_hs_wait_t do_process_server_hello(SSL_HANDSHAKE *hs) {
     return ssl_hs_error;
   }
 
-  /* We only support PSK_DHE_KE. */
-  if (!have_key_share) {
-    OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
-    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
-    return ssl_hs_error;
-  }
-
   alert = SSL_AD_DECODE_ERROR;
   if (have_pre_shared_key) {
     if (ssl->session == NULL) {
@@ -289,6 +282,13 @@ static enum ssl_hs_wait_t do_process_server_hello(SSL_HANDSHAKE *hs) {
     return ssl_hs_error;
   }
 
+  if (!have_key_share) {
+    /* We do not support psk_ke and thus always require a key share. */
+    OPENSSL_PUT_ERROR(SSL, SSL_R_MISSING_KEY_SHARE);
+    ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_MISSING_EXTENSION);
+    return ssl_hs_error;
+  }
+
   /* Resolve ECDHE and incorporate it into the secret. */
   uint8_t *dhe_secret;
   size_t dhe_secret_len;