diff --git a/lib/priority.c b/lib/priority.c
index 53c0d552d..6a4ccc2f4 100644
--- a/lib/priority.c
+++ b/lib/priority.c
@@ -179,7 +179,9 @@ static const int _supported_groups_secure192[] = {
 static const int* supported_groups_secure192 = _supported_groups_secure192;
 
 static const int protocol_priority[] = {
+#ifdef ENABLE_TLS13
 	GNUTLS_TLS1_3,
+#endif
 	GNUTLS_TLS1_2,
 	GNUTLS_TLS1_1,
 	GNUTLS_TLS1_0,
diff --git a/tests/mini-x509.c b/tests/mini-x509.c
index 52c650aa7..9b6bbcc00 100644
--- a/tests/mini-x509.c
+++ b/tests/mini-x509.c
@@ -258,5 +258,9 @@ void doit(void)
 {
 	start("NORMAL:-VERS-ALL:+VERS-TLS1.2", 0);
 	start("NORMAL:-VERS-ALL:+VERS-TLS1.3", 0);
+#ifndef ENABLE_TLS13
+	start("NORMAL", 0);
+#else
 	start("NORMAL", 1);
+#endif
 }
diff --git a/tests/priorities.c b/tests/priorities.c
index 6daef59ab..c5d44ea33 100644
--- a/tests/priorities.c
+++ b/tests/priorities.c
@@ -114,19 +114,27 @@ try_prio_err(const char *prio, int err)
 void doit(void)
 {
 	const int null = 3;
+#ifdef ENABLE_TLS13
 	int sec128_cs = 29;
 	int sec256_cs = 12;
 	int normal_cs = 29;
 	int pfs_cs = 23;
 	int null_normal_cs = 28; /* disables TLS1.3 CS */
+#else
+	int sec128_cs = 25;
+	int sec256_cs = 10;
+	int pfs_cs = 19;
+	int normal_cs = 25;
+	int null_normal_cs = normal_cs + null;
+#endif
 	int normal_ciphers = 7;
 
 	if (gnutls_fips140_mode_enabled()) {
-		normal_cs = 25;
+		normal_cs = 22;
 		normal_ciphers = 6;
-		pfs_cs = 25;
-		sec256_cs = 8;
-		sec128_cs = 25;
+		pfs_cs = 22;
+		sec256_cs = 7;
+		sec128_cs = 22;
 	}
 
 	try_prio("NORMAL", normal_cs, normal_ciphers, __LINE__);
diff --git a/tests/psk-file.c b/tests/psk-file.c
index 2512086e0..28d45560b 100644
--- a/tests/psk-file.c
+++ b/tests/psk-file.c
@@ -377,8 +377,13 @@ void doit(void)
 
 	run_test_ok("NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+PSK", "jas", &key, 1, 0);
 	run_test_ok("NORMAL:-KX-ALL:+PSK", "jas", &key, 0, 0);
+#ifdef ENABLE_TLS13
 	run_test2("NORMAL:+PSK", NULL, "unknown", &key, 1, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
 	run_test2("NORMAL:+PSK", NULL, "jas", &wrong_key, 1, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);
+#else
+	run_test2("NORMAL:+PSK", NULL, "unknown", &key, 1, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_DECRYPTION_FAILED);
+	run_test2("NORMAL:+PSK", NULL, "jas", &wrong_key, 1, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_DECRYPTION_FAILED);
+#endif
 	run_test2("NORMAL:-KX-ALL:+PSK", NULL, "non-hex", &key, 1, 0, GNUTLS_E_FATAL_ALERT_RECEIVED, GNUTLS_E_KEYFILE_ERROR);
 
 	run_dhtest_ok("NORMAL:-VERS-ALL:+VERS-TLS1.3:+DHE-PSK:-GROUP-EC-ALL", "jas", &key, 0, 0);
diff --git a/tests/pskself.c b/tests/pskself.c
index f3cc88217..65aceb252 100644
--- a/tests/pskself.c
+++ b/tests/pskself.c
@@ -326,9 +326,15 @@ void doit(void)
 	/* the following should work once we support PSK without DH */
 	run_test("NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+PSK", 0);
 
+#ifdef ENABLE_TLS13
 	run_test("NORMAL:-KX-ALL:+PSK", 0);
 	run_test("NORMAL:-KX-ALL:+ECDHE-PSK", 0);
 	run_test("NORMAL:-KX-ALL:+DHE-PSK", 0);
+#else
+	run_test("NORMAL:-KX-ALL:+PSK", 1);
+	run_test("NORMAL:-KX-ALL:+ECDHE-PSK", 1);
+	run_test("NORMAL:-KX-ALL:+DHE-PSK", 1);
+#endif
 
 	gnutls_dh_params_deinit(dh_params);
 }
diff --git a/tests/session-tickets-missing.c b/tests/session-tickets-missing.c
index 35c9045b4..69f16cf64 100644
--- a/tests/session-tickets-missing.c
+++ b/tests/session-tickets-missing.c
@@ -316,7 +316,11 @@ void doit(void)
 	start("NORMAL:-VERS-ALL:+VERS-TLS1.3", GNUTLS_NO_TICKETS);
 	/* ...or there is no overlap between PSK key exchange modes */
 	start2("NORMAL:-VERS-ALL:+VERS-TLS1.3:+PSK:-DHE-PSK", "NORMAL:-VERS-ALL:+VERS-TLS1.3", 0, 0);
+#ifdef ENABLE_TLS13
 	start("NORMAL", GNUTLS_NO_TICKETS);
+#else
+	start("NORMAL", 0);
+#endif
 }
 
 #endif				/* _WIN32 */