diff --git a/.travis.yml b/.travis.yml
index 4e97d47..c10af39 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -9,7 +9,7 @@ go:
 
 env:
   - MODE=interop CLIENT=boring SERVER=boring
-  - MODE=interop CLIENT=tstclnt
+  - MODE=interop CLIENT=tstclnt SERVER=tstclnt
   - MODE=interop CLIENT=picotls ZRTT=1
   - MODE=interop CLIENT=mint
   - MODE=bogo
diff --git a/_dev/tris-testclient/client.go b/_dev/tris-testclient/client.go
index 05c44f8..e76ea65 100644
--- a/_dev/tris-testclient/client.go
+++ b/_dev/tris-testclient/client.go
@@ -57,7 +57,9 @@ func (c *Client) run(addr string, version, cipherSuite uint16) {
 
 	buf := make([]byte, 1024)
 	n, err := con.Read(buf)
-	if err != nil {
+	// A non-zero read with EOF is acceptable and occurs when a close_notify
+	// is received right after reading data (observed with NSS selfserv).
+	if !(n > 0 && err == io.EOF) && err != nil {
 		fmt.Printf("Read failed: %v\n\n", err)
 		c.failed++
 		return
diff --git a/_dev/tstclnt/Dockerfile b/_dev/tstclnt/Dockerfile
index 64ffbe4..d1df83c 100644
--- a/_dev/tstclnt/Dockerfile
+++ b/_dev/tstclnt/Dockerfile
@@ -17,8 +17,8 @@ ENV USE_64=1 NSS_ENABLE_TLS_1_3=1
 # Draft 18
 # ARG REVISION=b6dfef6d0ff0
 
-# tstclnt resumption
-ARG REVISION=2ed8aef0b360
+# Draft 18, NSS_3_34_1_RTM (with TLS 1.3 keylogging support)
+ARG REVISION=e61c0f657100
 
 RUN cd nss && hg pull
 RUN cd nss && hg checkout -C $REVISION
@@ -39,6 +39,14 @@ ENV LD_LIBRARY_PATH=/dist/OBJ-PATH/lib
 
 ENV SSLTRACE=100 SSLDEBUG=100
 
+# Init test key using an empty noise (seed) file (-z /dev/null).
+# Use different subjects, otherwise NSS seems to merge keys under the same nickname.
+RUN mkdir /certdb && \
+    /dist/OBJ-PATH/bin/certutil -d /certdb -N --empty-password && \
+    /dist/OBJ-PATH/bin/certutil -d /certdb -S -n rsa-server -t u -x -s CN=localhost -k rsa -z /dev/null && \
+    /dist/OBJ-PATH/bin/certutil -d /certdb -S -n ecdsa-server -t u -x -s CN=localhost,O=EC -k ec -z /dev/null -q nistp256
+
 ADD httpreq.txt /httpreq.txt
 ADD run.sh /run.sh
+ADD server.sh /server.sh
 ENTRYPOINT ["/run.sh"]
diff --git a/_dev/tstclnt/server.sh b/_dev/tstclnt/server.sh
new file mode 100755
index 0000000..1a1d071
--- /dev/null
+++ b/_dev/tstclnt/server.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+PATH=/dist/OBJ-PATH/bin:$PATH
+set -x
+
+# RSA
+selfserv -n rsa-server   -p 1443 -d /certdb -V tls1.2:tls1.3 -v -Z &
+
+# ECDSA
+selfserv -n ecdsa-server -p 2443 -d /certdb -V tls1.2:tls1.3 -v -Z &
+
+wait