diff --git a/scripts/tls13.test b/scripts/tls13.test
index 002c3f219..27a891f58 100755
--- a/scripts/tls13.test
+++ b/scripts/tls13.test
@@ -162,7 +162,7 @@ echo ""
 # TLS 1.3 cipher suites server / client.
 echo -e "\n\nOnly TLS v1.3 cipher suites"
 port=0
-./examples/server/server -v 4 -R $ready_file -p $port -l TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384:TLS13-CHACH20-POLY1305-SHA256:TLS13-AES128-CCM-SHA256:TLS13-AES128-CCM-8-SHA256 &
+./examples/server/server -v 4 -R $ready_file -p $port -l TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES128-CCM-SHA256:TLS13-AES128-CCM-8-SHA256 &
 server_pid=$!
 create_port
 ./examples/client/client -v 4 -p $port
@@ -210,7 +210,7 @@ echo ""
 # TLS 1.3 cipher suites server / client.
 echo -e "\n\nOnly TLS v1.3 cipher suite - CHACHA20-POLY1305 SHA-256"
 port=0
-./examples/server/server -v 4 -R $ready_file -p $port -l TLS13-CHACH20-POLY1305-SHA256 &
+./examples/server/server -v 4 -R $ready_file -p $port -l TLS13-CHACHA20-POLY1305-SHA256 &
 server_pid=$!
 create_port
 ./examples/client/client -v 4 -p $port
diff --git a/src/internal.c b/src/internal.c
index a6db2d19d..c48367faa 100755
--- a/src/internal.c
+++ b/src/internal.c
@@ -13621,7 +13621,7 @@ static const char* const cipher_names[] =
 #endif
 
 #ifdef BUILD_TLS_CHACHA20_POLY1305_SHA256
-    "TLS13-CHACH20-POLY1305-SHA256",
+    "TLS13-CHACHA20-POLY1305-SHA256",
 #endif
 
 #ifdef BUILD_TLS_AES_128_CCM_SHA256
@@ -14655,9 +14655,9 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
                 }
             #endif /* WOLFSSL_DTLS */
 
-                suites->suites[idx++] = (XSTRSTR(name, "CHACHA")) ? CHACHA_BYTE
+                suites->suites[idx++] = (XSTRSTR(name, "TLS13"))  ? TLS13_BYTE
+                                      : (XSTRSTR(name, "CHACHA")) ? CHACHA_BYTE
                                       : (XSTRSTR(name, "QSH"))    ? QSH_BYTE
-                                      : (XSTRSTR(name, "TLS13"))  ? TLS13_BYTE
                                       : (XSTRSTR(name, "EC"))     ? ECC_BYTE
                                       : (XSTRSTR(name, "CCM"))    ? ECC_BYTE
                                       : 0x00; /* normal */
diff --git a/src/tls.c b/src/tls.c
index 796fc89fa..59d335469 100755
--- a/src/tls.c
+++ b/src/tls.c
@@ -4428,7 +4428,8 @@ static int TLSX_SetSupportedVersions(TLSX** extensions, const void* data,
  */
 static word16 TLSX_SignatureAlgorithms_GetSize(byte* data)
 {
-    int cnt = 0;
+    WOLFSSL* ssl = (WOLFSSL*)data;
+    int      cnt = 0;
 
     (void)data;
 
@@ -4446,6 +4447,7 @@ static word16 TLSX_SignatureAlgorithms_GetSize(byte* data)
         cnt++;
     #endif
     #ifdef WC_RSA_PSS
+        if (IsAtLeastTLSv1_3(ssl->version)) {
         #ifndef NO_SHA256
             cnt++;
         #endif
@@ -4455,6 +4457,7 @@ static word16 TLSX_SignatureAlgorithms_GetSize(byte* data)
         #ifdef HAVE_SHA512
             cnt++;
         #endif
+        }
     #endif
 #endif
 
@@ -4487,9 +4490,9 @@ static word16 TLSX_SignatureAlgorithms_GetSize(byte* data)
  */
 static word16 TLSX_SignatureAlgorithms_Write(byte* data, byte* output)
 {
-    int idx = OPAQUE16_LEN;
+    WOLFSSL* ssl = (WOLFSSL*)data;
+    int      idx = OPAQUE16_LEN;
 
-    (void)data;
 
 #ifndef NO_RSA
     #ifndef NO_SHA1
@@ -4509,6 +4512,7 @@ static word16 TLSX_SignatureAlgorithms_Write(byte* data, byte* output)
         output[idx++] = 0x01;
     #endif
     #ifdef WC_RSA_PSS
+        if (IsAtLeastTLSv1_3(ssl->version)) {
         #ifndef NO_SHA256
             output[idx++] = 0x08;
             output[idx++] = 0x04;
@@ -4521,6 +4525,7 @@ static word16 TLSX_SignatureAlgorithms_Write(byte* data, byte* output)
             output[idx++] = 0x08;
             output[idx++] = 0x06;
         #endif
+        }
     #endif
 #endif
 
@@ -7065,17 +7070,17 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
     } /* is not server */
 
     #ifdef WOLFSSL_TLS13
+        WOLFSSL_MSG("Adding signature algorithms extension");
+        if ((ret = TLSX_SetSignatureAlgorithms(&ssl->extensions, ssl,
+                                               ssl->heap)) != 0)
+            return ret;
+
         if (!isServer && IsAtLeastTLSv1_3(ssl->version)) {
             /* Add mandatory TLS v1.3 extension: supported version */
             WOLFSSL_MSG("Adding supported versions extension");
             if ((ret = TLSX_SetSupportedVersions(&ssl->extensions, ssl,
                                                  ssl->heap)) != 0)
                 return ret;
-            /* Add TLS v1.3 extension: signature algorithms */
-            WOLFSSL_MSG("Adding signature algorithms extension");
-            if ((ret = TLSX_SetSignatureAlgorithms(&ssl->extensions, NULL,
-                                                   ssl->heap)) != 0)
-                return ret;
 
             /* Add FFDHE supported groups. */
     #ifdef HAVE_FFDHE_2048
@@ -7201,9 +7206,10 @@ word16 TLSX_GetRequestSize(WOLFSSL* ssl)
         QSH_VALIDATE_REQUEST(ssl, semaphore);
         WOLF_STK_VALIDATE_REQUEST(ssl);
 #if defined(WOLFSSL_TLS13)
+        if (!IsAtLeastTLSv1_2(ssl))
+            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
         if (!IsAtLeastTLSv1_3(ssl->version)) {
             TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
-            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS));
             TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
     #ifndef NO_PSK
             TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
@@ -7252,9 +7258,10 @@ word16 TLSX_WriteRequest(WOLFSSL* ssl, byte* output)
         WOLF_STK_VALIDATE_REQUEST(ssl);
         QSH_VALIDATE_REQUEST(ssl, semaphore);
 #if defined(WOLFSSL_TLS13)
+        if (!IsAtLeastTLSv1_2(ssl))
+            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
         if (!IsAtLeastTLSv1_3(ssl->version)) {
             TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
-            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS));
             TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
     #ifndef NO_PSK
             TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PSK_KEY_EXCHANGE_MODES));
@@ -7637,7 +7644,7 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
             case TLSX_SIGNATURE_ALGORITHMS:
                 WOLFSSL_MSG("Signature Algorithms extension received");
 
-                if (!IsAtLeastTLSv1_3(ssl->version))
+                if (!IsAtLeastTLSv1_2(ssl))
                     break;
 
                 if (IsAtLeastTLSv1_3(ssl->version) &&
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index ad8431444..7d3bff0ce 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -1005,8 +1005,6 @@ static int CheckBitString(const byte* input, word32* inOutIdx, int* len,
     if (b != 0) {
         if ((byte)(input[idx + length - 1] << (8 - b)) != 0)
             return ASN_PARSE_E;
-        if (((input[idx + length - 1] >> b) & 0x01) != 0x01)
-            return ASN_PARSE_E;
     }
     idx++;
     length--; /* length has been checked for greater than 0 */
diff --git a/wolfssl/internal.h b/wolfssl/internal.h
index 0c6c3ed57..12c79d156 100755
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -2348,7 +2348,7 @@ enum SignatureAlgorithm {
     anonymous_sa_algo = 0,
     rsa_sa_algo       = 1,
     dsa_sa_algo       = 2,
-    ecc_dsa_sa_algo   = 4,
+    ecc_dsa_sa_algo   = 3,
     rsa_pss_sa_algo   = 8
 };