diff --git a/doc/wget.texi b/doc/wget.texi
index 38b4a245..7ae19d8e 100644
--- a/doc/wget.texi
+++ b/doc/wget.texi
@@ -1784,9 +1784,9 @@ If Wget is compiled without SSL support, none of these options are available.
 @cindex SSL protocol, choose
 @item --secure-protocol=@var{protocol}
 Choose the secure protocol to be used.  Legal values are @samp{auto},
-@samp{SSLv2}, @samp{SSLv3}, @samp{TLSv1}, @samp{TLSv1_1}, @samp{TLSv1_2}
-and @samp{PFS}.  If @samp{auto} is used, the SSL library is given the
-liberty of choosing the appropriate protocol automatically, which is
+@samp{SSLv2}, @samp{SSLv3}, @samp{TLSv1}, @samp{TLSv1_1}, @samp{TLSv1_2},
+@samp{TLSv1_3} and @samp{PFS}.  If @samp{auto} is used, the SSL library is
+given the liberty of choosing the appropriate protocol automatically, which is
 achieved by sending a TLSv1 greeting. This is the default.
 
 Specifying @samp{SSLv2}, @samp{SSLv3}, @samp{TLSv1}, @samp{TLSv1_1},
diff --git a/src/gnutls.c b/src/gnutls.c
index 07844c52..206d0b09 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -565,6 +565,15 @@ set_prio_default (gnutls_session_t session)
       err = gnutls_priority_set_direct (session, "NORMAL:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1", NULL);
       break;
 
+    case secure_protocol_tlsv1_3:
+#if GNUTLS_VERSION_NUMBER >= 0x030603
+      err = gnutls_priority_set_direct (session, "NORMAL:-VERS-SSL3.0:+VERS-TLS1.3:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2", NULL);
+      break;
+#else
+      logprintf (LOG_NOTQUIET, _("Your GnuTLS version is too old to support TLS 1.3\n"));
+      return -1;
+#endif
+
     case secure_protocol_pfs:
       err = gnutls_priority_set_direct (session, "PFS:-VERS-SSL3.0", NULL);
       if (err != GNUTLS_E_SUCCESS)
@@ -596,20 +605,39 @@ set_prio_default (gnutls_session_t session)
       allowed_protocols[0] = GNUTLS_TLS1_0;
       allowed_protocols[1] = GNUTLS_TLS1_1;
       allowed_protocols[2] = GNUTLS_TLS1_2;
+#if GNUTLS_VERSION_NUMBER >= 0x030603
+      allowed_protocols[3] = GNUTLS_TLS1_3;
+#endif
       err = gnutls_protocol_set_priority (session, allowed_protocols);
       break;
 
     case secure_protocol_tlsv1_1:
       allowed_protocols[0] = GNUTLS_TLS1_1;
       allowed_protocols[1] = GNUTLS_TLS1_2;
+#if GNUTLS_VERSION_NUMBER >= 0x030603
+      allowed_protocols[2] = GNUTLS_TLS1_3;
+#endif
       err = gnutls_protocol_set_priority (session, allowed_protocols);
       break;
 
     case secure_protocol_tlsv1_2:
       allowed_protocols[0] = GNUTLS_TLS1_2;
+#if GNUTLS_VERSION_NUMBER >= 0x030603
+      allowed_protocols[1] = GNUTLS_TLS1_3;
+#endif
       err = gnutls_protocol_set_priority (session, allowed_protocols);
       break;
 
+    case secure_protocol_tlsv1_3:
+#if GNUTLS_VERSION_NUMBER >= 0x030603
+      allowed_protocols[0] = GNUTLS_TLS1_3;
+      err = gnutls_protocol_set_priority (session, allowed_protocols);
+      break;
+#else
+      logprintf (LOG_NOTQUIET, _("Your GnuTLS version is too old to support TLS 1.3\n"));
+      return -1;
+#endif
+
     default:
       logprintf (LOG_NOTQUIET, _("GnuTLS: unimplemented 'secure-protocol' option value %d\n"), opt.secure_protocol);
       logprintf (LOG_NOTQUIET, _("Please report this issue to bug-wget@gnu.org\n"));