diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 15e11db15e..16939565fe 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -4936,22 +4936,6 @@ int  mbedtls_ssl_tls_prf( const mbedtls_tls_prf_types prf,
                           const unsigned char *random, size_t rlen,
                           unsigned char *dstbuf, size_t dlen );
 
-/**
- * \brief Validate cipher suite against config in SSL context.
- *
- * \param ssl              SSL context
- * \param suite_info       Cipher suite to validate
- * \param min_tls_version  Minimal TLS version to accept a cipher suite
- * \param max_tls_version  Maximal TLS version to accept a cipher suite
- *
- * \return 0 if valid, negative value otherwise.
- */
-int mbedtls_ssl_validate_ciphersuite(
-    const mbedtls_ssl_context *ssl,
-    const mbedtls_ssl_ciphersuite_t *suite_info,
-    mbedtls_ssl_protocol_version min_tls_version,
-    mbedtls_ssl_protocol_version max_tls_version );
-
 #ifdef __cplusplus
 }
 #endif
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index d2760826d1..f83f5d0666 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -2220,7 +2220,36 @@ int mbedtls_ssl_tls13_read_public_ecdhe_share( mbedtls_ssl_context *ssl,
 
 #endif /* MBEDTLS_ECDH_C */
 
-int mbedtls_ssl_tls13_cipher_suite_is_offered( mbedtls_ssl_context *ssl,
-                                              int cipher_suite );
+static inline int mbedtls_ssl_tls13_cipher_suite_is_offered(
+        mbedtls_ssl_context *ssl, int cipher_suite )
+{
+    const int *ciphersuite_list = ssl->conf->ciphersuite_list;
+
+    /* Check whether we have offered this ciphersuite */
+    for ( size_t i = 0; ciphersuite_list[i] != 0; i++ )
+    {
+        if( ciphersuite_list[i] == cipher_suite )
+        {
+            return( 1 );
+        }
+    }
+    return( 0 );
+}
+
+/**
+ * \brief Validate cipher suite against config in SSL context.
+ *
+ * \param ssl              SSL context
+ * \param suite_info       Cipher suite to validate
+ * \param min_tls_version  Minimal TLS version to accept a cipher suite
+ * \param max_tls_version  Maximal TLS version to accept a cipher suite
+ *
+ * \return 0 if valid, negative value otherwise.
+ */
+int mbedtls_ssl_validate_ciphersuite(
+    const mbedtls_ssl_context *ssl,
+    const mbedtls_ssl_ciphersuite_t *suite_info,
+    mbedtls_ssl_protocol_version min_tls_version,
+    mbedtls_ssl_protocol_version max_tls_version );
 
 #endif /* ssl_misc.h */
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 1bcafe4927..4bee319dca 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -1537,20 +1537,4 @@ int mbedtls_ssl_tls13_read_public_ecdhe_share( mbedtls_ssl_context *ssl,
 }
 #endif /* MBEDTLS_ECDH_C */
 
-int mbedtls_ssl_tls13_cipher_suite_is_offered( mbedtls_ssl_context *ssl,
-                                              int cipher_suite )
-{
-    const int *ciphersuite_list = ssl->conf->ciphersuite_list;
-
-    /* Check whether we have offered this ciphersuite */
-    for ( size_t i = 0; ciphersuite_list[i] != 0; i++ )
-    {
-        if( ciphersuite_list[i] == cipher_suite )
-        {
-            return( 1 );
-        }
-    }
-    return( 0 );
-}
-
 #endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index a8e523a774..136d236217 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -51,7 +51,7 @@ static int ssl_tls13_parse_supported_versions_ext( mbedtls_ssl_context *ssl,
     const unsigned char *p = buf;
     size_t versions_len;
     const unsigned char *versions_end;
-    int tls_version;
+    uint16_t tls_version;
     int tls13_supported = 0;
 
     MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 1 );
@@ -84,7 +84,7 @@ static int ssl_tls13_parse_supported_versions_ext( mbedtls_ssl_context *ssl,
     }
 
     MBEDTLS_SSL_DEBUG_MSG( 1, ( "Negotiated version. Supported is [%04x]",
-                              tls_version ) );
+                              (unsigned int)tls_version ) );
 
     return( 0 );
 }
@@ -512,9 +512,9 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
 
     if( !ciphersuite_match )
     {
-        MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
-                                      MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
-        return ( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
+        MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
+                                      MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
+        return ( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
     }
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s",
@@ -525,7 +525,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
      * opaque legacy_compression_methods<1..2^8-1>;
      * ...
      */
-    if( p[0] != 1 || p[1] != 0 )
+    if( p[0] != 1 || p[1] != MBEDTLS_SSL_COMPRESS_NULL )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad legacy compression method" ) );
         MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,