diff --git a/ssl/tls13_server.cc b/ssl/tls13_server.cc
index 95452fb1ce..b18b5aaed9 100644
--- a/ssl/tls13_server.cc
+++ b/ssl/tls13_server.cc
@@ -112,7 +112,13 @@ static int ssl_ext_supported_versions_add_serverhello(SSL_HANDSHAKE *hs,
 
 static const SSL_CIPHER *choose_tls13_cipher(const SSL *ssl) {
   STACK_OF(SSL_CIPHER) *tls13_ciphers = nullptr;
-  if (ssl->ctx->tls13_cipher_list &&
+  // First check config, otherwise fallback to ctx, and otherwise let client
+  // preference dictate cipher selection
+  if (ssl->config && ssl->config->tls13_cipher_list &&
+      ssl->config->tls13_cipher_list.get()->ciphers &&
+      sk_SSL_CIPHER_num(ssl->config->tls13_cipher_list.get()->ciphers.get()) > 0) {
+    tls13_ciphers = ssl->config->tls13_cipher_list.get()->ciphers.get();
+  } else if (ssl->ctx->tls13_cipher_list &&
       ssl->ctx->tls13_cipher_list.get()->ciphers &&
       sk_SSL_CIPHER_num(ssl->ctx->tls13_cipher_list.get()->ciphers.get()) > 0) {
     tls13_ciphers = ssl->ctx->tls13_cipher_list.get()->ciphers.get();