diff --git a/src/ssl.c b/src/ssl.c
index fb969ead0..7810c02d5 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -3168,6 +3168,11 @@ static int _Rehandshake(WOLFSSL* ssl)
     if (ssl == NULL)
         return BAD_FUNC_ARG;
 
+    if (IsAtLeastTLSv1_3(ssl->version)) {
+        WOLFSSL_MSG("Secure Renegotiation not supported in TLS 1.3");
+        return SECURE_RENEGOTIATION_E;
+    }
+
     if (ssl->secure_renegotiation == NULL) {
         WOLFSSL_MSG("Secure Renegotiation not forced on by user");
         return SECURE_RENEGOTIATION_E;
@@ -3178,6 +3183,11 @@ static int _Rehandshake(WOLFSSL* ssl)
         return SECURE_RENEGOTIATION_E;
     }
 
+    if (ssl->keys.dtls_epoch == 0xFFFF) {
+        WOLFSSL_MSG("Secure Renegotiation not allowed. Epoch would wrap");
+        return SECURE_RENEGOTIATION_E;
+    }
+
     /* If the client started the renegotiation, the server will already
      * have processed the client's hello. */
     if (ssl->options.side != WOLFSSL_SERVER_END ||