diff --git a/ChangeLog.d/ffdh-tls-1-3.txt b/ChangeLog.d/ffdh-tls-1-3.txt
index 139b76273..d358f9b83 100644
--- a/ChangeLog.d/ffdh-tls-1-3.txt
+++ b/ChangeLog.d/ffdh-tls-1-3.txt
@@ -1,2 +1,2 @@
 Features
-   * Add usage of FFDH keys in TLS 1.3.
+   * Add support for FFDH key exchange in TLS 1.3.
diff --git a/library/ssl_client.c b/library/ssl_client.c
index 163d0a02e..257a696b9 100644
--- a/library/ssl_client.c
+++ b/library/ssl_client.c
@@ -185,7 +185,7 @@ static int ssl_write_alpn_ext(mbedtls_ssl_context *ssl,
 #endif /* MBEDTLS_SSL_ALPN */
 
 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
-    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) || defined(PSA_WANT_ALG_FFDH)
 /*
  * Function for writing a supported groups (TLS 1.3) or supported elliptic
  * curves (TLS 1.2) extension.
@@ -274,6 +274,7 @@ static int ssl_write_supported_groups_ext(mbedtls_ssl_context *ssl,
                                       *group_list));
         }
 #endif /* MBEDTLS_ECP_LIGHT */
+#if defined(PSA_WANT_ALG_FFDH)
         if ((mbedtls_ssl_conf_is_tls13_enabled(ssl->conf) &&
              mbedtls_ssl_tls13_named_group_is_dhe(*group_list))) {
             const char *ffdh_group = NULL;
@@ -308,6 +309,7 @@ static int ssl_write_supported_groups_ext(mbedtls_ssl_context *ssl,
             MBEDTLS_SSL_DEBUG_MSG(3, ("NamedGroup: %s ( %x )",
                                       ffdh_group, *group_list));
         }
+#endif /* PSA_WANT_ALG_FFDH */
     }
 
     /* Length of named_group_list */
@@ -337,7 +339,7 @@ static int ssl_write_supported_groups_ext(mbedtls_ssl_context *ssl,
     return 0;
 }
 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
-          MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+          MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED || PSA_WANT_ALG_FFDH */
 
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_write_client_hello_cipher_suites(
@@ -629,7 +631,7 @@ static int ssl_write_client_hello_body(mbedtls_ssl_context *ssl,
 #endif
 
 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
-    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) || defined(PSA_WANT_ALG_FFDH)
     if (
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
         (propose_tls13 &&
@@ -645,7 +647,8 @@ static int ssl_write_client_hello_body(mbedtls_ssl_context *ssl,
         }
         p += output_len;
     }
-#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
+#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
+          MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED || PSA_WANT_ALG_FFDH */
 
 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
     if (
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 1d44ccf48..c46f041a8 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -4949,7 +4949,7 @@ static uint16_t ssl_preset_default_groups[] = {
 #if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
     MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1,
 #endif
-#if defined(MBEDTLS_DHM_C)
+#if defined(PSA_WANT_ALG_FFDH)
     MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048,
     MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072,
     MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096,
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index c7b677e8e..dcf3087d6 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -25,8 +25,6 @@
 #include "test/psa_crypto_helpers.h"
 #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
 
-#include "mbedtls/dhm.h"
-
 #if defined(MBEDTLS_SSL_TEST_IMPOSSIBLE)
 int main(void)
 {
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 88e328e92..f4b295990 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -12353,6 +12353,7 @@ requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_SRV_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test "TLS 1.3: Test ffdh groups (ffdhe2048)" \
          "$P_SRV debug_level=5 force_version=tls13 curves=ffdhe2048" \
          "$P_CLI debug_level=5 force_version=tls13 curves=ffdhe2048" \
@@ -12367,6 +12368,7 @@ requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_SRV_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test "TLS 1.3: Test ffdh groups (ffdhe3072)" \
          "$P_SRV debug_level=4 force_version=tls13 curves=ffdhe3072" \
          "$P_CLI debug_level=4 force_version=tls13 curves=ffdhe3072" \
@@ -12381,6 +12383,7 @@ requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_SRV_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test "TLS 1.3: Test ffdh groups (ffdhe4096)" \
          "$P_SRV debug_level=4 force_version=tls13 curves=ffdhe4096" \
          "$P_CLI debug_level=4 force_version=tls13 curves=ffdhe4096" \
@@ -12395,6 +12398,7 @@ requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_SRV_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test "TLS 1.3: Test ffdh groups (ffdhe6144)" \
          "$P_SRV debug_level=4 force_version=tls13 curves=ffdhe6144" \
          "$P_CLI debug_level=4 force_version=tls13 curves=ffdhe6144" \
@@ -12409,6 +12413,7 @@ requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_SRV_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test "TLS 1.3: Test ffdh groups (ffdhe8192)" \
          "$P_SRV debug_level=4 force_version=tls13 curves=ffdhe8192" \
          "$P_CLI debug_level=4 force_version=tls13 curves=ffdhe8192" \
@@ -12423,6 +12428,7 @@ requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_SRV_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test "TLS 1.3: Test ffdh groups - no match(server: ffdhe2048 client: secp384r1)" \
          "$P_SRV debug_level=4 force_version=tls13 curves=ffdhe2048" \
          "$P_CLI debug_level=4 force_version=tls13 curves=secp384r1" \
@@ -12436,6 +12442,7 @@ requires_config_enabled MBEDTLS_SSL_CLI_C
 requires_config_enabled MBEDTLS_SSL_SRV_C
 requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
 requires_config_enabled PSA_WANT_ALG_FFDH
+requires_config_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 run_test "TLS 1.3: Test ffdh groups - no match(server: secp384r1 client: ffdhe2048)" \
          "$P_SRV debug_level=4 force_version=tls13 curves=secp384r1" \
          "$P_CLI debug_level=4 force_version=tls13 curves=ffdhe2048" \