diff --git ssl/ssl_ciph.c ssl/ssl_ciph.c
index 735a483c64..74f02de695 100644
--- ssl/ssl_ciph.c
+++ ssl/ssl_ciph.c
@@ -1292,7 +1292,8 @@ static int ciphersuite_cb(const char *elem, int len, void *arg)
     cipher = ssl3_get_cipher_by_std_name(name);
     if (cipher == NULL) {
         SSLerr(SSL_F_CIPHERSUITE_CB, SSL_R_NO_CIPHER_MATCH);
-        return 0;
+        /* Ciphersuite not found but return 1 to parse rest of the list */
+        return 1;
     }
 
     if (!sk_SSL_CIPHER_push(ciphersuites, cipher)) {
@@ -1312,7 +1313,8 @@ static __owur int set_ciphersuites(STACK_OF(SSL_CIPHER) **currciphers, const cha
 
     /* Parse the list. We explicitly allow an empty list */
     if (*str != '\0'
-            && !CONF_parse_list(str, ':', 1, ciphersuite_cb, newciphers)) {
+            && (CONF_parse_list(str, ':', 1, ciphersuite_cb, newciphers) <= 0
+                || sk_SSL_CIPHER_num(newciphers) == 0 )) {
         sk_SSL_CIPHER_free(newciphers);
         return 0;
     }
@@ -1599,8 +1601,19 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
 
     /* Add TLSv1.3 ciphers first - we always prefer those if possible */
     for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
-        if (!sk_SSL_CIPHER_push(cipherstack,
-                                sk_SSL_CIPHER_value(tls13_ciphersuites, i))) {
+        const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i);
+
+        /* Don't include any TLSv1.3 ciphers that are disabled */
+        if ((sslc->algorithm_enc & disabled_enc) != 0
+                || (ssl_cipher_table_mac[sslc->algorithm2
+                                         & SSL_HANDSHAKE_MAC_MASK].mask
+                    & disabled_mac_mask) != 0) {
+            sk_SSL_CIPHER_delete(tls13_ciphersuites, i);
+            i--;
+            continue;
+        }
+
+        if (!sk_SSL_CIPHER_push(cipherstack, sslc)) {
             sk_SSL_CIPHER_free(cipherstack);
             return NULL;
         }