</listitem>
      </varlistentry>
 
+     <varlistentry id="guc-ssl-tls13-ciphers" xreflabel="ssl_tls13_ciphers">
+      <term><varname>ssl_tls13_ciphers</varname> (<type>string</type>)
+      <indexterm>
+       <primary><varname>ssl_tls13_ciphers</varname> configuration parameter</primary>
+      </indexterm>
+      </term>
+      <listitem>
+       <para>
+        Specifies a list of cipher suites that are allowed by connections using
+        <acronym>TLS</acronym> version 1.3.  Multiple cipher suites can be
+        specified by using a colon separated list. If left blank, the default
+        set of cipher suites in <productname>OpenSSL</productname> will be used.
+       </para>
+
+       <para>
+        This parameter can only be set in the
+        <filename>postgresql.conf</filename> file or on the server command
+        line.
+       </para>
+      </listitem>
+     </varlistentry>
+
      <varlistentry id="guc-ssl-ciphers" xreflabel="ssl_ciphers">
       <term><varname>ssl_ciphers</varname> (<type>string</type>)
       <indexterm>
       </term>
       <listitem>
        <para>
-        Specifies a list of <acronym>SSL</acronym> cipher suites that are
-        allowed to be used by SSL connections.  See the
-        <citerefentry><refentrytitle>ciphers</refentrytitle></citerefentry>
+        Specifies a list of <acronym>SSL</acronym> ciphers that are allowed by
+        connections using TLS version 1.2 and lower, see
+        <xref linkend="guc-ssl-tls13-ciphers"/> for TLS version 1.3 connections. See
+        the <citerefentry><refentrytitle>ciphers</refentrytitle></citerefentry>
         manual page in the <productname>OpenSSL</productname> package for the
-        syntax of this setting and a list of supported values.  Only
-        connections using TLS version 1.2 and lower are affected.  There is
-        currently no setting that controls the cipher choices used by TLS
-        version 1.3 connections.  The default value is
-        <literal>HIGH:MEDIUM:+3DES:!aNULL</literal>.  The default is usually a
+        syntax of this setting and a list of supported values.  The default value
+        is <literal>HIGH:MEDIUM:+3DES:!aNULL</literal>.  The default is usually a
         reasonable choice unless you have specific security requirements.
        </para>
 
 
        if (!initialize_ecdh(context, isServerStart))
                goto error;
 
-       /* set up the allowed cipher list */
-       if (SSL_CTX_set_cipher_list(context, SSLCipherSuites) != 1)
+       /* set up the allowed cipher list for TLSv1.2 and below */
+       if (SSL_CTX_set_cipher_list(context, SSLCipherList) != 1)
        {
                ereport(isServerStart ? FATAL : LOG,
                                (errcode(ERRCODE_CONFIG_FILE_ERROR),
-                                errmsg("could not set the cipher list (no valid ciphers available)")));
+                                errmsg("could not set the TLSv1.2 cipher list (no valid ciphers available)")));
                goto error;
        }
 
+       /*
+        * Set up the allowed cipher suites for TLSv1.3. If the GUC is an empty
+        * string we leave the allowed suites to be the OpenSSL default value.
+        */
+       if (SSLCipherSuites[0])
+       {
+               /* set up the allowed cipher suites */
+               if (SSL_CTX_set_ciphersuites(context, SSLCipherSuites) != 1)
+               {
+                       ereport(isServerStart ? FATAL : LOG,
+                                       (errcode(ERRCODE_CONFIG_FILE_ERROR),
+                                        errmsg("could not set the TLSv1.3 cipher suites (no valid ciphers available)")));
+                       goto error;
+               }
+       }
+
        /* Let server choose order */
        if (SSLPreferServerCiphers)
                SSL_CTX_set_options(context, SSL_OP_CIPHER_SERVER_PREFERENCE);
 
 
 /* GUC variable controlling SSL cipher list */
 char      *SSLCipherSuites = NULL;
+char      *SSLCipherList = NULL;
 
 /* GUC variable for default ECHD curve. */
 char      *SSLECDHCurve;
 
        },
 
        {
-               {"ssl_ciphers", PGC_SIGHUP, CONN_AUTH_SSL,
-                       gettext_noop("Sets the list of allowed SSL ciphers."),
+               {"ssl_tls13_ciphers", PGC_SIGHUP, CONN_AUTH_SSL,
+                       gettext_noop("Sets the list of allowed TLSv1.3 cipher suites (leave blank for default)."),
                        NULL,
                        GUC_SUPERUSER_ONLY
                },
                &SSLCipherSuites,
+               "",
+               NULL, NULL, NULL
+       },
+
+       {
+               {"ssl_ciphers", PGC_SIGHUP, CONN_AUTH_SSL,
+                       gettext_noop("Sets the list of allowed TLSv1.2 (and lower) ciphers."),
+                       NULL,
+                       GUC_SUPERUSER_ONLY
+               },
+               &SSLCipherList,
 #ifdef USE_OPENSSL
                "HIGH:MEDIUM:+3DES:!aNULL",
 #else
 
 #ssl_crl_file = ''
 #ssl_crl_dir = ''
 #ssl_key_file = 'server.key'
-#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL'      # allowed SSL ciphers
+#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL'      # allowed TLSv1.2 ciphers
+#ssl_tls13_ciphers = ''        # allowed TLSv1.3 cipher suites, blank for default
 #ssl_prefer_server_ciphers = on
 #ssl_groups = 'prime256v1'
 #ssl_min_protocol_version = 'TLSv1.2'
 
 
 /* GUCs */
 extern PGDLLIMPORT char *SSLCipherSuites;
+extern PGDLLIMPORT char *SSLCipherList;
 extern PGDLLIMPORT char *SSLECDHCurve;
 extern PGDLLIMPORT bool SSLPreferServerCiphers;
 extern PGDLLIMPORT int ssl_min_protocol_version;
 
        ok(unlink($node->data_dir . '/sslconfig.conf'));
        $node->append_conf('sslconfig.conf', "ssl=on");
        $node->append_conf('sslconfig.conf', $backend->set_server_cert(\%params));
-       # use lists of ECDH curves for syntax testing
+       # use lists of ECDH curves and cipher suites for syntax testing
        $node->append_conf('sslconfig.conf', 'ssl_groups=prime256v1:secp521r1');
+       $node->append_conf('sslconfig.conf', 'ssl_tls13_ciphers=TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256');
 
        $node->append_conf('sslconfig.conf',
                "ssl_passphrase_command='" . $params{passphrase_cmd} . "'")