diff -up openssl-1.1.1k/ssl/statem/statem_lib.c.servername-cb openssl-1.1.1k/ssl/statem/statem_lib.c

--- openssl-1.1.1k/ssl/statem/statem_lib.c.servername-cb	2021-07-16 16:03:04.200024170 +0200

+++ openssl-1.1.1k/ssl/statem/statem_lib.c	2021-07-16 16:08:04.076630415 +0200

@@ -1504,8 +1504,8 @@ static int ssl_method_error(const SSL *s

 /*

  * Only called by servers. Returns 1 if the server has a TLSv1.3 capable

- * certificate type, or has PSK or a certificate callback configured, or has

- * a servername callback configured. Otherwise returns 0.

+ * certificate type, or has PSK or a certificate callback configured. Otherwise

+ * returns 0.

  */

 static int is_tls13_capable(const SSL *s)

 {

@@ -1515,17 +1515,6 @@ static int is_tls13_capable(const SSL *s

     EC_KEY *eckey;

 #endif

-    if (!ossl_assert(s->ctx != NULL) || !ossl_assert(s->session_ctx != NULL))

-        return 0;

-

-    /*

-     * A servername callback can change the available certs, so if a servername

-     * cb is set then we just assume TLSv1.3 will be ok

-     */

-    if (s->ctx->ext.servername_cb != NULL

-            || s->session_ctx->ext.servername_cb != NULL)

-        return 1;

-

 #ifndef OPENSSL_NO_PSK

     if (s->psk_server_callback != NULL)

         return 1;

diff -up openssl-1.1.1k/test/sslapitest.c.servername-cb openssl-1.1.1k/test/sslapitest.c

--- openssl-1.1.1k/test/sslapitest.c.servername-cb	2021-07-16 16:08:20.094823046 +0200

+++ openssl-1.1.1k/test/sslapitest.c	2021-07-16 16:09:25.708612095 +0200

@@ -6658,62 +6658,6 @@ static int test_ssl_dup(void)

 }

 #endif

-#ifndef OPENSSL_NO_TLS1_3

-/*

- * Test that setting an SNI callback works with TLSv1.3. Specifically we check

- * that it works even without a certificate configured for the original

- * SSL_CTX

- */

-static int test_sni_tls13(void)

-{

-    SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL;

-    SSL *clientssl = NULL, *serverssl = NULL;

-    int testresult = 0;

-

-    /* Reset callback counter */

-    snicb = 0;

-

-    /* Create an initial SSL_CTX with no certificate configured */

-    sctx = SSL_CTX_new(TLS_server_method());

-    if (!TEST_ptr(sctx))

-        goto end;

-    /* Require TLSv1.3 as a minimum */

-    if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),

-                                       TLS1_3_VERSION, 0, &sctx2, &cctx, cert,

-                                       privkey)))

-        goto end;

-

-    /* Set up SNI */

-    if (!TEST_true(SSL_CTX_set_tlsext_servername_callback(sctx, sni_cb))

-            || !TEST_true(SSL_CTX_set_tlsext_servername_arg(sctx, sctx2)))

-        goto end;

-

-    /*

-     * Connection should still succeed because the final SSL_CTX has the right

-     * certificates configured.

-     */

-    if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl,

-                                      &clientssl, NULL, NULL))

-            || !TEST_true(create_ssl_connection(serverssl, clientssl,

-                                                SSL_ERROR_NONE)))

-        goto end;

-

-    /* We should have had the SNI callback called exactly once */

-    if (!TEST_int_eq(snicb, 1))

-        goto end;

-

-    testresult = 1;

-

-end:

-    SSL_free(serverssl);

-    SSL_free(clientssl);

-    SSL_CTX_free(sctx2);

-    SSL_CTX_free(sctx);

-    SSL_CTX_free(cctx);

-    return testresult;

-}

-#endif

-

 int setup_tests(void)

 {

     if (!TEST_ptr(certsdir = test_get_argument(0))

@@ -6837,9 +6781,6 @@ int setup_tests(void)

 #ifndef OPENSSL_NO_TLS1_2

     ADD_TEST(test_ssl_dup);

 #endif

-#ifndef OPENSSL_NO_TLS1_3

-    ADD_TEST(test_sni_tls13);

-#endif

     return 1;

 }