diff --git a/src/ssl_clienthello.c b/src/ssl_clienthello.c
index ca0d6fb27..9d2f45093 100644
--- a/src/ssl_clienthello.c
+++ b/src/ssl_clienthello.c
@@ -396,8 +396,16 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg)
 			if (cipher_id == SSL3_CK_SCSV || cipher_id == SSL3_CK_FALLBACK_SCSV)
 				continue;
 
-			if (SSL_CIPHER_get_auth_nid(cipher) == NID_auth_ecdsa
-			    || SSL_CIPHER_get_auth_nid(cipher) == NID_auth_any) {
+			if (SSL_CIPHER_get_auth_nid(cipher) == NID_auth_ecdsa) {
+				has_ecdsa_sig = 1;
+				break;
+			}
+			if (SSL_CIPHER_get_auth_nid(cipher) == NID_auth_any &&
+			    s->ssl_conf.ssl_methods.max >= CONF_TLSV13) {
+				/* Checking for TLSv1.3 ciphersuites require to check that we allow TLSv1.3, otherwise it would
+				 * chose an ECDSA cipher because of the TLS13 ciphersuites, but the TLS12 ciphers could
+				 * lack ECDSA capabilities.
+				 */
 				has_ecdsa_sig = 1;
 				break;
 			}