diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data
index a14925c6e..4db9cfed1 100644
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@@ -10466,6 +10466,22 @@ SSL TLS 1.3 Key schedule: Traffic key generation #2 (RFC 8448)
 depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
 ssl_tls1_3_traffic_key_generation:MBEDTLS_MD_SHA256:"a2067265e7f0652a923d5d72ab0467c46132eeb968b6a32d311c805868548814":"ff0e5b965291c608c1e8cd267eefc0afcc5e98a2786373f0db47b04786d72aea":12:16:"844780a7acad9f980fa25c114e43402a":"4c042ddc120a38d1417fc815":"7154f314e6be7dc008df2c832baa1d39":"71abc2cae4c699d47c600268"
 
+SSL TLS 1.3 Key schedule: Derive-Secret( ., "derived", "")
+# Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/)
+# Derive-Secret( Early-Secret, "derived", "")
+# Tests the case where context isn't yet hashed (empty string here,
+# but still needs to be hashed)
+# 64657269766564 = hex("derived")
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
+ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"33ad0a1c607ec03b09e6cd9893680ce210adf300aa1f2660e1b22e10f170f92a":"64657269766564":"":32:0:"6f2615a108c702c5678f54fc9dbab69716c076189c48250cebeac3576c3611ba"
+
+SSL TLS 1.3 Key schedule: Derive-Secret( ., "s ap traffic", hash)
+# Vector from TLS 1.3 Byte by Byte (https://tls13.ulfheim.net/)
+# Derive-Secret( MasterSecret, "s ap traffic", hash)
+# Tests the case where context is already hashed
+depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL
+ssl_tls1_3_derive_secret:MBEDTLS_MD_SHA256:"7f2882bb9b9a46265941653e9c2f19067118151e21d12e57a7b6aca1f8150c8d":"732061702074726166666963":"22844b930e5e0a59a09d5ac35fc032fc91163b193874a265236e568077378d8b":32:1:"3fc35ea70693069a277956afa23b8f4543ce68ac595f2aace05cd7a1c92023d5"
+
 SSL TLS_PRF MBEDTLS_SSL_TLS_PRF_NONE
 ssl_tls_prf:MBEDTLS_SSL_TLS_PRF_NONE:"":"":"test tls_prf label":"":MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
 
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 36f10ca61..b488b23b0 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -3742,6 +3742,33 @@ void ssl_tls1_3_traffic_key_generation( int hash_alg,
 }
 /* END_CASE */
 
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
+void ssl_tls1_3_derive_secret( int hash_alg,
+                               data_t *secret,
+                               data_t *label,
+                               data_t *ctx,
+                               int desired_length,
+                               int already_hashed,
+                               data_t *expected )
+{
+    unsigned char dst[ 100 ];
+
+    /* Check sanity of test parameters. */
+    TEST_ASSERT( (size_t) desired_length <= sizeof(dst) );
+    TEST_ASSERT( (size_t) desired_length == expected->len );
+
+    TEST_ASSERT( mbedtls_ssl_tls1_3_derive_secret(
+                      (mbedtls_md_type_t) hash_alg,
+                      secret->x, secret->len,
+                      label->x, label->len,
+                      ctx->x, ctx->len,
+                      already_hashed,
+                      dst, desired_length ) == 0 );
+
+    TEST_ASSERT( memcmp( dst, expected->x, desired_length ) == 0 );
+}
+/* END_CASE */
+
 /* BEGIN_CASE */
 void ssl_tls_prf( int type, data_t * secret, data_t * random,
                   char *label, data_t *result_hex_str, int exp_ret )