diff --git a/third-party/pjproject/patches/0019-TLSv13-ciphers.patch b/third-party/pjproject/patches/0019-TLSv13-ciphers.patch
index 81407e64ed581364ea9c21d15de33e21f9592f3f..1ebefe0ce9a4cb0b29b49bdb134e4253b89d69ce 100644
--- a/third-party/pjproject/patches/0019-TLSv13-ciphers.patch
+++ b/third-party/pjproject/patches/0019-TLSv13-ciphers.patch
@@ -1,12 +1,25 @@
diff --git a/pjlib/src/pj/ssl_sock_ossl.c b/pjlib/src/pj/ssl_sock_ossl.c
-index 63b42f4..300dd9b 100644
+index 63b42f4..4844d5e 100644
--- a/pjlib/src/pj/ssl_sock_ossl.c
+++ b/pjlib/src/pj/ssl_sock_ossl.c
-@@ -232,6 +232,31 @@ typedef struct ossl_sock_t
+@@ -231,6 +231,57 @@ typedef struct ossl_sock_t
+ /* Expected maximum value of reason component in OpenSSL error code */
#define MAX_OSSL_ERR_REASON 1200
-
-+// all TLS v1.2 ciphers required by 1tr114
++/* TLSv13 ciphers */
++static struct tlsv13_cipher {
++ int id;
++ const char *name;
++} tlsv13_ciphers[] = {
++ {0x1301, "TLS_AES_128_GCM_SHA256"},
++ {0x1302, "TLS_AES_256_GCM_SHA384"},
++ {0x1303, "TLS_CHACHA20_POLY1305_SHA256"},
++ {0x1304, "TLS_AES_128_CCM_SHA256"},
++ {0x1305, "TLS_AES_128_CCM_8_SHA256"},
++ {0, NULL}
++};
++
++/* all TLS v1.2 ciphers required by 1tr114 */
+#define PJ_OSSL_TLS1_2_CIPHERS_DT_DEFAULT \
+ "ECDHE-RSA-AES256-GCM-SHA384:"\
+ "AES256-GCM-SHA384:"\
@@ -16,7 +29,7 @@ index 63b42f4..300dd9b 100644
+ "AES128-GCM-SHA256:"\
+ "AES128-SHA256"
+
-+// all TLS v1.3 ciphers supported by openssl 1.1.11
++/* all TLS v1.3 ciphers supported by openssl 1.1.11 */
+#define PJ_OSSL_TLS1_3_CIPHERS_ALL \
+ "TLS_AES_128_GCM_SHA256:"\
+ "TLS_AES_256_GCM_SHA384:"\
@@ -24,17 +37,30 @@ index 63b42f4..300dd9b 100644
+ "TLS_AES_128_CCM_8_SHA256:"\
+ "TLS_CHACHA20_POLY1305_SHA256"
+
-+// all TLS v1.3 ciphers required by 1tr114
++/* all TLS v1.3 ciphers required by 1tr114 */
+#define PJ_OSSL_TLS1_3_CIPHERS_DT_DEFAULT \
+ "TLS_AES_128_GCM_SHA256:"\
+ "TLS_AES_256_GCM_SHA384:"\
+ "TLS_AES_128_CCM_SHA256:"\
+ "TLS_CHACHA20_POLY1305_SHA256"
+
++static const char * get_tlsv13_cipher_name(int id)
++{
++ struct tlsv13_cipher *cipher = &tlsv13_ciphers[0];
++
++ while (cipher->id) {
++ if (cipher->id == id)
++ return cipher->name;
++
++ ++cipher;
++ }
++
++ return NULL;
++}
+
static char *SSLErrorString (int err)
{
- switch (err) {
-@@ -732,6 +757,7 @@ static pj_status_t init_openssl(void)
+@@ -732,6 +783,7 @@ static pj_status_t init_openssl(void)
ctx=SSL_CTX_new(meth);
SSL_CTX_set_cipher_list(ctx, "ALL:COMPLEMENTOFALL");
@@ -42,35 +68,130 @@ index 63b42f4..300dd9b 100644
ssl = SSL_new(ctx);
-@@ -1765,11 +1791,15 @@ static pj_status_t set_cipher_list(pj_ssl_sock_t *ssock)
+@@ -1765,11 +1817,20 @@ static pj_status_t set_cipher_list(pj_ssl_sock_t *ssock)
int ret;
if (ssock->param.ciphers_num == 0) {
- ret = SSL_CTX_set_cipher_list(ossock->ossl_ctx, PJ_SSL_SOCK_OSSL_CIPHERS);
-+ if (ssock->param.proto == PJ_SSL_SOCK_PROTO_TLS1_3)
-+ ret = SSL_CTX_set_ciphersuites(ossock->ossl_ctx,PJ_OSSL_TLS1_3_CIPHERS_DT_DEFAULT);
-+ else
-+ ret = SSL_CTX_set_cipher_list(ossock->ossl_ctx,PJ_OSSL_TLS1_2_CIPHERS_DT_DEFAULT);
-+
- if (ret < 1) {
- return GET_SSL_STATUS(ssock);
+- if (ret < 1) {
+- return GET_SSL_STATUS(ssock);
- }
-
++ if (ssock->param.proto & PJ_SSL_SOCK_PROTO_TLS1_3) {
++ ret = SSL_CTX_set_ciphersuites(ossock->ossl_ctx, PJ_OSSL_TLS1_3_CIPHERS_DT_DEFAULT);
++ if (ret < 1) {
++ return GET_SSL_STATUS(ssock);
++ }
++ }
++
++ if (ssock->param.proto & PJ_SSL_SOCK_PROTO_TLS1_2) {
++ ret = SSL_CTX_set_cipher_list(ossock->ossl_ctx, PJ_OSSL_TLS1_2_CIPHERS_DT_DEFAULT);
++ if (ret < 1) {
++ return GET_SSL_STATUS(ssock);
++ }
+ }
+
return PJ_SUCCESS;
}
-@@ -1813,7 +1843,11 @@ static pj_status_t set_cipher_list(pj_ssl_sock_t *ssock)
+@@ -1785,16 +1846,20 @@ static pj_status_t set_cipher_list(pj_ssl_sock_t *ssock)
+
+ /* Generate user specified cipher list in OpenSSL format */
+ for (i = 0; i < ssock->param.ciphers_num; ++i) {
++ // Skip TLS 1.3 cipers
++ if (get_tlsv13_cipher_name(ssock->param.ciphers[i]))
++ continue;
++
+ for (j = 0; j < ssl_cipher_num; ++j) {
+ if (ssock->param.ciphers[i] == ssl_ciphers[j].id)
+ {
+ const char *c_name = ssl_ciphers[j].name;
+
+ /* Check buffer size */
+- if (cipher_list.slen + pj_ansi_strlen(c_name) + 2 >
+- BUF_SIZE)
++ if (cipher_list.slen + pj_ansi_strlen(c_name) + 2 > BUF_SIZE)
+ {
+ pj_assert(!"Insufficient temporary buffer for cipher");
++ pj_pool_release(tmp_pool);
+ return PJ_ETOOMANY;
+ }
+
+@@ -1806,14 +1871,61 @@ static pj_status_t set_cipher_list(pj_ssl_sock_t *ssock)
+ pj_strcat2(&cipher_list, c_name);
+ break;
+ }
+- }
++ }
+ }
+
+ /* Put NULL termination in the generated cipher list */
cipher_list.ptr[cipher_list.slen] = '\0';
- /* Finally, set chosen cipher list */
+- /* Finally, set chosen cipher list */
- ret = SSL_CTX_set_cipher_list(ossock->ossl_ctx, buf);
-+ if (ssock->param.proto == PJ_SSL_SOCK_PROTO_TLS1_3)
-+ ret = SSL_CTX_set_ciphersuites(ossock->ossl_ctx,buf);
-+ else
++ /* Set chosen cipher list */
++ if (cipher_list.slen)
+ ret = SSL_CTX_set_cipher_list(ossock->ossl_ctx, buf);
++ else
++ ret = SSL_CTX_set_cipher_list(ossock->ossl_ctx, "COMPLEMENTOFALL");
++
++ if (ret < 1) {
++ pj_pool_release(tmp_pool);
++ return GET_SSL_STATUS(ssock);
++ }
++
++ /* Only apply TLSv13 cipher suites for TLS1_3 PROTO */
++ if (!ssock->param.proto & PJ_SSL_SOCK_PROTO_TLS1_3) {
++ pj_pool_release(tmp_pool);
++ return PJ_SUCCESS;
++ }
++
++ pj_strset(&cipher_list, buf, 0);
++
++ /* Generate user specified TLSv13 cipher suites in OpenSSL format */
++ for (i = 0; i < ssock->param.ciphers_num; ++i) {
++ const char *c_name = get_tlsv13_cipher_name(ssock->param.ciphers[i]);
++ if (c_name) {
++ /* Check buffer size */
++ if (cipher_list.slen + pj_ansi_strlen(c_name) + 2 > BUF_SIZE)
++ {
++ pj_assert(!"Insufficient temporary buffer for cipher");
++ pj_pool_release(tmp_pool);
++ return PJ_ETOOMANY;
++ }
++
++ /* Add colon separator */
++ if (cipher_list.slen)
++ pj_strcat2(&cipher_list, ":");
++
++ /* Add the cipher */
++ pj_strcat2(&cipher_list, c_name);
++ }
++ }
++
++ /* Put NULL termination in the generated cipher list */
++ cipher_list.ptr[cipher_list.slen] = '\0';
++
++ /* Set chosen TLSv13 cipher suites */
++ if (cipher_list.slen)
++ ret = SSL_CTX_set_ciphersuites(ossock->ossl_ctx, buf);
++ else
++ ret = SSL_CTX_set_ciphersuites(ossock->ossl_ctx, PJ_OSSL_TLS1_3_CIPHERS_DT_DEFAULT);
+
if (ret < 1) {
pj_pool_release(tmp_pool);
return GET_SSL_STATUS(ssock);
+diff --git a/pjsip/src/pjsip/sip_transport_tls.c b/pjsip/src/pjsip/sip_transport_tls.c
+index 903a640..9e7f264 100644
+--- a/pjsip/src/pjsip/sip_transport_tls.c
++++ b/pjsip/src/pjsip/sip_transport_tls.c
+@@ -223,7 +223,7 @@ static pj_uint32_t ssl_get_proto(pjsip_ssl_method ssl_method, pj_uint32_t proto)
+ out_proto = PJ_SSL_SOCK_PROTO_TLS1_2;
+ break;
+ case PJSIP_TLSV1_3_METHOD:
+- out_proto = PJ_SSL_SOCK_PROTO_TLS1_3;
++ out_proto = PJ_SSL_SOCK_PROTO_TLS1_2 | PJ_SSL_SOCK_PROTO_TLS1_3;
+ break;
+ case PJSIP_SSLV23_METHOD:
+ out_proto = PJ_SSL_SOCK_PROTO_SSL23;