diff --git a/python-pyOpenSSL.changes b/python-pyOpenSSL.changes
index 8a68b42..a8d2e20 100644
--- a/python-pyOpenSSL.changes
+++ b/python-pyOpenSSL.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Oct 30 13:41:43 UTC 2018 - Vítězslav Čížek <vcizek@suse.com>
+
+- handle that renegotiation is forbidden in TLS 1.3
+  * add tls13-renegotiation.patch
+
 -------------------------------------------------------------------
 Tue Oct 30 11:21:30 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
 
diff --git a/python-pyOpenSSL.spec b/python-pyOpenSSL.spec
index f3db6db..b198f14 100644
--- a/python-pyOpenSSL.spec
+++ b/python-pyOpenSSL.spec
@@ -29,6 +29,7 @@ Source:         https://files.pythonhosted.org/packages/source/p/pyOpenSSL/pyOpe
 Patch1:         skip-networked-test.patch
 Patch2:         openssl-1.1.0i.patch
 Patch3:         openssl-1.1.1.patch
+Patch4:         tls13-renegotiation.patch
 BuildRequires:  %{python_module cryptography >= 2.3.0}
 BuildRequires:  %{python_module flaky}
 BuildRequires:  %{python_module pretend}
diff --git a/tls13-renegotiation.patch b/tls13-renegotiation.patch
new file mode 100644
index 0000000..8bb360c
--- /dev/null
+++ b/tls13-renegotiation.patch
@@ -0,0 +1,56 @@
+Index: pyOpenSSL-18.0.0/tests/test_ssl.py
+===================================================================
+--- pyOpenSSL-18.0.0.orig/tests/test_ssl.py	2018-10-30 20:43:38.806954080 +0100
++++ pyOpenSSL-18.0.0/tests/test_ssl.py	2018-10-30 20:58:46.133504622 +0100
+@@ -3181,6 +3181,7 @@ class TestConnectionRenegotiate(object):
+     """
+     Tests for SSL renegotiation APIs.
+     """
++
+     def test_total_renegotiations(self):
+         """
+         `Connection.total_renegotiations` returns `0` before any renegotiations
+@@ -3193,7 +3194,16 @@ class TestConnectionRenegotiate(object):
+         """
+         Go through a complete renegotiation cycle.
+         """
+-        server, client = loopback()
++        # renegotiation works with TLS version <= 1.2
++        def makeServer12(socket):
++            ctx = Context(TLSv1_2_METHOD)
++            ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
++            ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
++            server = Connection(ctx, socket)
++            server.set_accept_state()
++            return server
++
++        server, client = loopback(server_factory=makeServer12)
+ 
+         server.send(b"hello world")
+ 
+@@ -3216,6 +3226,25 @@ class TestConnectionRenegotiate(object):
+         while False is server.renegotiate_pending():
+             pass
+ 
++        # renegotiation is forbidden in TLS 1.3
++        server, client = loopback()
++
++        server.send(b"hello world")
++
++        assert b"hello world" == client.recv(len(b"hello world"))
++
++        assert 0 == server.total_renegotiations()
++        assert False is server.renegotiate_pending()
++
++        # renegotian under TLS 1.3 must fail
++
++        if client.get_protocol_version_name() == "TLSv1.3":
++            try:
++                assert False is server.renegotiate()
++            #error ('SSL routines', 'SSL_renegotiate', 'wrong ssl version')
++            except SSL.Error:
++                pass
++
+ 
+ class TestError(object):
+     """