Index: pyOpenSSL-18.0.0/tests/test_ssl.py
===================================================================
--- pyOpenSSL-18.0.0.orig/tests/test_ssl.py	2018-10-30 20:43:38.806954080 +0100
+++ pyOpenSSL-18.0.0/tests/test_ssl.py	2018-10-30 20:58:46.133504622 +0100
@@ -3181,6 +3181,7 @@ class TestConnectionRenegotiate(object):
     """
     Tests for SSL renegotiation APIs.
     """
+
     def test_total_renegotiations(self):
         """
         `Connection.total_renegotiations` returns `0` before any renegotiations
@@ -3193,7 +3194,16 @@ class TestConnectionRenegotiate(object):
         """
         Go through a complete renegotiation cycle.
         """
-        server, client = loopback()
+        # renegotiation works with TLS version <= 1.2
+        def makeServer12(socket):
+            ctx = Context(TLSv1_2_METHOD)
+            ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
+            ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
+            server = Connection(ctx, socket)
+            server.set_accept_state()
+            return server
+
+        server, client = loopback(server_factory=makeServer12)
 
         server.send(b"hello world")
 
@@ -3216,6 +3226,25 @@ class TestConnectionRenegotiate(object):
         while False is server.renegotiate_pending():
             pass
 
+        # renegotiation is forbidden in TLS 1.3
+        server, client = loopback()
+
+        server.send(b"hello world")
+
+        assert b"hello world" == client.recv(len(b"hello world"))
+
+        assert 0 == server.total_renegotiations()
+        assert False is server.renegotiate_pending()
+
+        # renegotian under TLS 1.3 must fail
+
+        if client.get_protocol_version_name() == "TLSv1.3":
+            try:
+                assert False is server.renegotiate()
+            #error ('SSL routines', 'SSL_renegotiate', 'wrong ssl version')
+            except SSL.Error:
+                pass
+
 
 class TestError(object):
     """