diff --git a/src/eap_server/eap_server_tls.c b/src/eap_server/eap_server_tls.c
index 9860a3653..0712d4ccd 100644
--- a/src/eap_server/eap_server_tls.c
+++ b/src/eap_server/eap_server_tls.c
@@ -261,8 +261,43 @@ static void eap_tls_process_msg(struct eap_sm *sm, void *priv,
 			   "handshake message");
 		return;
 	}
-	if (eap_server_tls_phase1(sm, &data->ssl) < 0)
+	if (eap_server_tls_phase1(sm, &data->ssl) < 0) {
 		eap_tls_state(data, FAILURE);
+		return;
+	}
+
+	if (data->ssl.tls_v13 &&
+	    tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
+		struct wpabuf *plain, *encr;
+
+		wpa_printf(MSG_DEBUG,
+			   "EAP-TLS: Send empty application data to indicate end of exchange");
+		/* FIX: This should be an empty application data based on
+		 * draft-ietf-emu-eap-tls13-05, but OpenSSL does not allow zero
+		 * length payload (SSL_write() documentation explicitly
+		 * describes this as not allowed), so work around that for now
+		 * by sending out a payload of one octet. Hopefully the draft
+		 * specification will change to allow this so that no crypto
+		 * library changes are needed. */
+		plain = wpabuf_alloc(1);
+		if (!plain)
+			return;
+		wpabuf_put_u8(plain, 0);
+		encr = eap_server_tls_encrypt(sm, &data->ssl, plain);
+		wpabuf_free(plain);
+		if (!encr)
+			return;
+		if (wpabuf_resize(&data->ssl.tls_out, wpabuf_len(encr)) < 0) {
+			wpa_printf(MSG_INFO,
+				   "EAP-TLS: Failed to resize output buffer");
+			wpabuf_free(encr);
+			return;
+		}
+		wpabuf_put_buf(data->ssl.tls_out, encr);
+		wpa_hexdump_buf(MSG_DEBUG,
+				"EAP-TLS: Data appended to the message", encr);
+		wpabuf_free(encr);
+	}
 }