diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 1ef9f84..d3ca63c 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -3140,6 +3140,13 @@
 // |SSL_process_quic_post_handshake| to process it. It is an error to call
 // |SSL_read| and |SSL_write| in QUIC.
 //
+// 0-RTT behaves similarly to |TLS_method|'s usual behavior. |SSL_do_handshake|
+// returns early as soon as the client (respectively, server) is allowed to send
+// 0-RTT (respectively, half-RTT) data. The caller should then call
+// |SSL_do_handshake| again to consume the remaining handshake messages and
+// confirm the handshake. As a client, |SSL_ERROR_EARLY_DATA_REJECTED| and
+// |SSL_reset_early_data_reject| behave as usual.
+//
 // Note that secrets for an encryption level may be available to QUIC before the
 // level is active in TLS. Callers should use |SSL_quic_read_level| to determine
 // the active read level for |SSL_provide_quic_data|. |SSL_do_handshake| will
@@ -3155,7 +3162,8 @@
 // |SSL_quic_max_handshake_flight_len| to get the maximum buffer length at each
 // encryption level.
 //
-// Note: 0-RTT is not currently supported via this API.
+// Note: 0-RTT support is incomplete and does not currently handle QUIC
+// transport parameters and server SETTINGS frame.
 
 // ssl_encryption_level_t represents a specific QUIC encryption level used to
 // transmit handshake messages.
diff --git a/ssl/handshake_client.cc b/ssl/handshake_client.cc
index 4e8ca6a..8be9f6b 100644
--- a/ssl/handshake_client.cc
+++ b/ssl/handshake_client.cc
@@ -459,7 +459,11 @@
   if (!tls13_init_early_key_schedule(
           hs, MakeConstSpan(ssl->session->master_key,
                             ssl->session->master_key_length)) ||
-      !tls13_derive_early_secrets(hs) ||
+      !tls13_derive_early_secret(hs) ||
+      !tls13_set_early_secret_for_quic(hs)) {
+    return ssl_hs_error;
+  }
+  if (ssl->quic_method == nullptr &&
       !tls13_set_traffic_key(ssl, ssl_encryption_early_data, evp_aead_seal,
                              hs->early_traffic_secret())) {
     return ssl_hs_error;
diff --git a/ssl/internal.h b/ssl/internal.h
index f55e047..ec3594c 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -1265,9 +1265,17 @@
                            enum evp_aead_direction_t direction,
                            Span<const uint8_t> traffic_secret);
 
-// tls13_derive_early_secrets derives the early traffic secret. It returns true
-// on success and false on error.
-bool tls13_derive_early_secrets(SSL_HANDSHAKE *hs);
+// tls13_derive_early_secret derives the early traffic secret. It returns true
+// on success and false on error. Unlike with other traffic secrets, this
+// function does not pass the keys to QUIC. Call
+// |tls13_set_early_secret_for_quic| to do so. This is done to due to an
+// ordering complication around resolving HelloRetryRequest on the server.
+bool tls13_derive_early_secret(SSL_HANDSHAKE *hs);
+
+// tls13_set_early_secret_for_quic passes the early traffic secrets, as
+// derived by |tls13_derive_early_secret|, to QUIC. It returns true on success
+// and false on error.
+bool tls13_set_early_secret_for_quic(SSL_HANDSHAKE *hs);
 
 // tls13_derive_handshake_secrets derives the handshake traffic secret. It
 // returns true on success and false on error.
diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
index 03760b6..4b92acd 100644
--- a/ssl/ssl_test.cc
+++ b/ssl/ssl_test.cc
@@ -4698,7 +4698,9 @@
 
 class MockQUICTransport {
  public:
-  MockQUICTransport() {
+  enum class Role { kClient, kServer };
+
+  explicit MockQUICTransport(Role role) : role_(role) {
     // The caller is expected to configure initial secrets.
     levels_[ssl_encryption_initial].write_secret = {1};
     levels_[ssl_encryption_initial].read_secret = {1};
@@ -4735,18 +4737,38 @@
       return false;
     }
 
-    if (level != ssl_encryption_early_data &&
-        (read_secret == nullptr || write_secret == nullptr)) {
-      ADD_FAILURE() << "key was unexpectedly null";
+    bool expect_read_secret = true, expect_write_secret = true;
+    if (level == ssl_encryption_early_data) {
+      if (role_ == Role::kClient) {
+        expect_read_secret = false;
+      } else {
+        expect_write_secret = false;
+      }
+    }
+
+    if (expect_read_secret) {
+      if (read_secret == nullptr) {
+        ADD_FAILURE() << "read secret was unexpectedly null";
+        return false;
+      }
+      levels_[level].read_secret.assign(read_secret, read_secret + secret_len);
+    } else if (read_secret != nullptr) {
+      ADD_FAILURE() << "unexpected read secret";
       return false;
     }
-    if (read_secret != nullptr) {
-      levels_[level].read_secret.assign(read_secret, read_secret + secret_len);
-    }
-    if (write_secret != nullptr) {
+
+    if (expect_write_secret) {
+      if (write_secret == nullptr) {
+        ADD_FAILURE() << "write secret was unexpectedly null";
+        return false;
+      }
       levels_[level].write_secret.assign(write_secret,
                                          write_secret + secret_len);
+    } else if (write_secret != nullptr) {
+      ADD_FAILURE() << "unexpected write secret";
+      return false;
     }
+
     levels_[level].cipher = SSL_CIPHER_get_id(cipher);
     return true;
   }
@@ -4783,7 +4805,7 @@
                          ssl_encryption_level_t level,
                          size_t num = std::numeric_limits<size_t>::max()) {
     if (levels_[level].read_secret.empty()) {
-      ADD_FAILURE() << "data read before keys configured";
+      ADD_FAILURE() << "data read before keys configured in level " << level;
       return false;
     }
     // The peer may not have configured any keys yet.
@@ -4792,11 +4814,12 @@
     }
     // Check the peer computed the same key.
     if (peer_->levels_[level].write_secret != levels_[level].read_secret) {
-      ADD_FAILURE() << "peer write key does not match read key";
+      ADD_FAILURE() << "peer write key does not match read key in level "
+                    << level;
       return false;
     }
     if (peer_->levels_[level].cipher != levels_[level].cipher) {
-      ADD_FAILURE() << "peer cipher does not match";
+      ADD_FAILURE() << "peer cipher does not match in level " << level;
       return false;
     }
     std::vector<uint8_t> *peer_data = &peer_->levels_[level].write_data;
@@ -4807,6 +4830,7 @@
   }
 
  private:
+  Role role_;
   MockQUICTransport *peer_ = nullptr;
 
   bool has_alert_ = false;
@@ -4824,21 +4848,24 @@
 
 class MockQUICTransportPair {
  public:
-  MockQUICTransportPair() {
-    server_.set_peer(&client_);
+  MockQUICTransportPair()
+      : client_(MockQUICTransport::Role::kClient),
+        server_(MockQUICTransport::Role::kServer) {
     client_.set_peer(&server_);
+    server_.set_peer(&client_);
   }
 
   ~MockQUICTransportPair() {
-    server_.set_peer(nullptr);
     client_.set_peer(nullptr);
+    server_.set_peer(nullptr);
   }
 
   MockQUICTransport *client() { return &client_; }
   MockQUICTransport *server() { return &server_; }
 
   bool SecretsMatch(ssl_encryption_level_t level) const {
-    return client_.PeerSecretsMatch(level);
+    return client_.HasSecrets(level) && server_.HasSecrets(level) &&
+           client_.PeerSecretsMatch(level);
   }
 
  private:
@@ -4890,24 +4917,80 @@
     SSL_set_connect_state(client_.get());
     SSL_set_accept_state(server_.get());
 
-    ex_data_.Set(client_.get(), transport_.client());
-    ex_data_.Set(server_.get(), transport_.server());
+    transport_.reset(new MockQUICTransportPair);
+    ex_data_.Set(client_.get(), transport_->client());
+    ex_data_.Set(server_.get(), transport_->server());
     return true;
   }
 
-  bool CreateSecondClientAndServer() {
-    client_.reset(SSL_new(client_ctx_.get()));
-    server_.reset(SSL_new(server_ctx_.get()));
-    if (!client_ || !server_) {
-      return false;
+  // CompleteHandshakesForQUIC runs |SSL_do_handshake| on |client_| and
+  // |server_| until each completes once. It returns true on success and false
+  // on failure.
+  bool CompleteHandshakesForQUIC() {
+    bool client_done = false, server_done = false;
+    while (!client_done || !server_done) {
+      if (!client_done) {
+        if (!ProvideHandshakeData(client_.get())) {
+          ADD_FAILURE() << "ProvideHandshakeData(client_) failed";
+          return false;
+        }
+        int client_ret = SSL_do_handshake(client_.get());
+        if (client_ret == 1) {
+          client_done = true;
+        } else {
+          EXPECT_EQ(client_ret, -1);
+          EXPECT_EQ(SSL_get_error(client_.get(), client_ret),
+                    SSL_ERROR_WANT_READ);
+        }
+      }
+
+      if (!server_done) {
+        if (!ProvideHandshakeData(server_.get())) {
+          ADD_FAILURE() << "ProvideHandshakeData(server_) failed";
+          return false;
+        }
+        int server_ret = SSL_do_handshake(server_.get());
+        if (server_ret == 1) {
+          server_done = true;
+        } else {
+          EXPECT_EQ(server_ret, -1);
+          EXPECT_EQ(SSL_get_error(server_.get(), server_ret),
+                    SSL_ERROR_WANT_READ);
+        }
+      }
+    }
+    return true;
+  }
+
+  bssl::UniquePtr<SSL_SESSION> CreateClientSessionForQUIC() {
+    g_last_session = nullptr;
+    SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
+    if (!CreateClientAndServer() ||
+        !CompleteHandshakesForQUIC()) {
+      return nullptr;
     }
 
-    SSL_set_connect_state(client_.get());
-    SSL_set_accept_state(server_.get());
+    // The server sent NewSessionTicket messages in the handshake.
+    if (!ProvideHandshakeData(client_.get()) ||
+        !SSL_process_quic_post_handshake(client_.get())) {
+      return nullptr;
+    }
 
-    ex_data_.Set(client_.get(), second_transport_.client());
-    ex_data_.Set(server_.get(), second_transport_.server());
-    return true;
+    return std::move(g_last_session);
+  }
+
+  void ExpectHandshakeSuccess() {
+    EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_application));
+    EXPECT_EQ(ssl_encryption_application, SSL_quic_read_level(client_.get()));
+    EXPECT_EQ(ssl_encryption_application, SSL_quic_write_level(client_.get()));
+    EXPECT_EQ(ssl_encryption_application, SSL_quic_read_level(server_.get()));
+    EXPECT_EQ(ssl_encryption_application, SSL_quic_write_level(server_.get()));
+    EXPECT_FALSE(transport_->client()->has_alert());
+    EXPECT_FALSE(transport_->server()->has_alert());
+
+    // SSL_do_handshake is now idempotent.
+    EXPECT_EQ(SSL_do_handshake(client_.get()), 1);
+    EXPECT_EQ(SSL_do_handshake(server_.get()), 1);
   }
 
   // The following functions may be configured on an |SSL_QUIC_METHOD| as
@@ -4942,8 +5025,7 @@
   bssl::UniquePtr<SSL_CTX> server_ctx_;
 
   static UnownedSSLExData<MockQUICTransport> ex_data_;
-  MockQUICTransportPair transport_;
-  MockQUICTransportPair second_transport_;
+  std::unique_ptr<MockQUICTransportPair> transport_;
 
   bssl::UniquePtr<SSL> client_;
   bssl::UniquePtr<SSL> server_;
@@ -4966,33 +5048,13 @@
   SSL_CTX_sess_set_new_cb(client_ctx_.get(), SaveLastSession);
   ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
   ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
+
   ASSERT_TRUE(CreateClientAndServer());
+  ASSERT_TRUE(CompleteHandshakesForQUIC());
 
-  for (;;) {
-    ASSERT_TRUE(ProvideHandshakeData(client_.get()));
-    int client_ret = SSL_do_handshake(client_.get());
-    if (client_ret != 1) {
-      ASSERT_EQ(client_ret, -1);
-      ASSERT_EQ(SSL_get_error(client_.get(), client_ret), SSL_ERROR_WANT_READ);
-    }
-
-    ASSERT_TRUE(ProvideHandshakeData(server_.get()));
-    int server_ret = SSL_do_handshake(server_.get());
-    if (server_ret != 1) {
-      ASSERT_EQ(server_ret, -1);
-      ASSERT_EQ(SSL_get_error(server_.get(), server_ret), SSL_ERROR_WANT_READ);
-    }
-
-    if (client_ret == 1 && server_ret == 1) {
-      break;
-    }
-  }
-
-  EXPECT_EQ(SSL_do_handshake(client_.get()), 1);
-  EXPECT_EQ(SSL_do_handshake(server_.get()), 1);
-  EXPECT_TRUE(transport_.SecretsMatch(ssl_encryption_application));
-  EXPECT_FALSE(transport_.client()->has_alert());
-  EXPECT_FALSE(transport_.server()->has_alert());
+  ExpectHandshakeSuccess();
+  EXPECT_FALSE(SSL_session_reused(client_.get()));
+  EXPECT_FALSE(SSL_session_reused(server_.get()));
 
   // The server sent NewSessionTicket messages in the handshake.
   EXPECT_FALSE(g_last_session);
@@ -5001,35 +5063,13 @@
   EXPECT_TRUE(g_last_session);
 
   // Create a second connection to verify resumption works.
-  ASSERT_TRUE(CreateSecondClientAndServer());
+  ASSERT_TRUE(CreateClientAndServer());
   bssl::UniquePtr<SSL_SESSION> session = std::move(g_last_session);
   SSL_set_session(client_.get(), session.get());
 
-  for (;;) {
-    ASSERT_TRUE(ProvideHandshakeData(client_.get()));
-    int client_ret = SSL_do_handshake(client_.get());
-    if (client_ret != 1) {
-      ASSERT_EQ(client_ret, -1);
-      ASSERT_EQ(SSL_get_error(client_.get(), client_ret), SSL_ERROR_WANT_READ);
-    }
+  ASSERT_TRUE(CompleteHandshakesForQUIC());
 
-    ASSERT_TRUE(ProvideHandshakeData(server_.get()));
-    int server_ret = SSL_do_handshake(server_.get());
-    if (server_ret != 1) {
-      ASSERT_EQ(server_ret, -1);
-      ASSERT_EQ(SSL_get_error(server_.get(), server_ret), SSL_ERROR_WANT_READ);
-    }
-
-    if (client_ret == 1 && server_ret == 1) {
-      break;
-    }
-  }
-
-  EXPECT_EQ(SSL_do_handshake(client_.get()), 1);
-  EXPECT_EQ(SSL_do_handshake(server_.get()), 1);
-  EXPECT_TRUE(transport_.SecretsMatch(ssl_encryption_application));
-  EXPECT_FALSE(transport_.client()->has_alert());
-  EXPECT_FALSE(transport_.server()->has_alert());
+  ExpectHandshakeSuccess();
   EXPECT_TRUE(SSL_session_reused(client_.get()));
   EXPECT_TRUE(SSL_session_reused(server_.get()));
 }
@@ -5056,32 +5096,133 @@
                                   OPENSSL_ARRAY_SIZE(kServerPrefs)));
 
   ASSERT_TRUE(CreateClientAndServer());
+  ASSERT_TRUE(CompleteHandshakesForQUIC());
+  ExpectHandshakeSuccess();
+}
 
-  for (;;) {
-    ASSERT_TRUE(ProvideHandshakeData(client_.get()));
-    int client_ret = SSL_do_handshake(client_.get());
-    if (client_ret != 1) {
-      ASSERT_EQ(client_ret, -1);
-      ASSERT_EQ(SSL_get_error(client_.get(), client_ret), SSL_ERROR_WANT_READ);
+TEST_F(QUICMethodTest, ZeroRTTAccept) {
+  const SSL_QUIC_METHOD quic_method = {
+      SetEncryptionSecretsCallback,
+      AddHandshakeDataCallback,
+      FlushFlightCallback,
+      SendAlertCallback,
+  };
+
+  SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
+  SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
+  SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
+  ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
+  ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
+
+  bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
+  ASSERT_TRUE(session);
+
+  ASSERT_TRUE(CreateClientAndServer());
+  SSL_set_session(client_.get(), session.get());
+
+  // The client handshake should return immediately into the early data state.
+  ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
+  EXPECT_TRUE(SSL_in_early_data(client_.get()));
+  // The transport should have keys for sending 0-RTT data.
+  EXPECT_TRUE(
+      transport_->client()->HasSecrets(ssl_encryption_early_data));
+
+  // The server will consume the ClientHello and also enter the early data
+  // state.
+  ASSERT_TRUE(ProvideHandshakeData(server_.get()));
+  ASSERT_EQ(SSL_do_handshake(server_.get()), 1);
+  EXPECT_TRUE(SSL_in_early_data(server_.get()));
+  EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_early_data));
+  // The transport should have keys for sending half-RTT data.
+  EXPECT_TRUE(
+      transport_->server()->HasSecrets(ssl_encryption_application));
+
+  // Finish up the client and server handshakes.
+  ASSERT_TRUE(CompleteHandshakesForQUIC());
+
+  // Both sides can now exchange 1-RTT data.
+  ExpectHandshakeSuccess();
+  EXPECT_TRUE(SSL_session_reused(client_.get()));
+  EXPECT_TRUE(SSL_session_reused(server_.get()));
+  EXPECT_FALSE(SSL_in_early_data(client_.get()));
+  EXPECT_FALSE(SSL_in_early_data(server_.get()));
+  EXPECT_TRUE(SSL_early_data_accepted(client_.get()));
+  EXPECT_TRUE(SSL_early_data_accepted(server_.get()));
+}
+
+TEST_F(QUICMethodTest, ZeroRTTReject) {
+  const SSL_QUIC_METHOD quic_method = {
+      SetEncryptionSecretsCallback,
+      AddHandshakeDataCallback,
+      FlushFlightCallback,
+      SendAlertCallback,
+  };
+
+  SSL_CTX_set_session_cache_mode(client_ctx_.get(), SSL_SESS_CACHE_BOTH);
+  SSL_CTX_set_early_data_enabled(client_ctx_.get(), 1);
+  SSL_CTX_set_early_data_enabled(server_ctx_.get(), 1);
+  ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
+  ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
+
+  bssl::UniquePtr<SSL_SESSION> session = CreateClientSessionForQUIC();
+  ASSERT_TRUE(session);
+
+  for (bool reject_hrr : {false, true}) {
+    SCOPED_TRACE(reject_hrr);
+
+    ASSERT_TRUE(CreateClientAndServer());
+    if (reject_hrr) {
+      // Configure the server to prefer P-256, which will reject 0-RTT via
+      // HelloRetryRequest.
+      int p256 = NID_X9_62_prime256v1;
+      ASSERT_TRUE(SSL_set1_curves(server_.get(), &p256, 1));
+    } else {
+      // Disable 0-RTT on the server, so it will reject it.
+      SSL_set_early_data_enabled(server_.get(), 0);
     }
+    SSL_set_session(client_.get(), session.get());
 
+    // The client handshake should return immediately into the early data state.
+    ASSERT_EQ(SSL_do_handshake(client_.get()), 1);
+    EXPECT_TRUE(SSL_in_early_data(client_.get()));
+    // The transport should have keys for sending 0-RTT data.
+    EXPECT_TRUE(transport_->client()->HasSecrets(ssl_encryption_early_data));
+
+    // The server will consume the ClientHello, but it will not accept 0-RTT.
     ASSERT_TRUE(ProvideHandshakeData(server_.get()));
-    int server_ret = SSL_do_handshake(server_.get());
-    if (server_ret != 1) {
-      ASSERT_EQ(server_ret, -1);
-      ASSERT_EQ(SSL_get_error(server_.get(), server_ret), SSL_ERROR_WANT_READ);
+    ASSERT_EQ(SSL_do_handshake(server_.get()), -1);
+    EXPECT_EQ(SSL_ERROR_WANT_READ, SSL_get_error(server_.get(), -1));
+    EXPECT_FALSE(SSL_in_early_data(server_.get()));
+    EXPECT_FALSE(transport_->server()->HasSecrets(ssl_encryption_early_data));
+
+    // The client consumes the server response and signals 0-RTT rejection.
+    for (;;) {
+      ASSERT_TRUE(ProvideHandshakeData(client_.get()));
+      ASSERT_EQ(-1, SSL_do_handshake(client_.get()));
+      int err = SSL_get_error(client_.get(), -1);
+      if (err == SSL_ERROR_EARLY_DATA_REJECTED) {
+        break;
+      }
+      ASSERT_EQ(SSL_ERROR_WANT_READ, err);
     }
 
-    if (client_ret == 1 && server_ret == 1) {
-      break;
-    }
+    // As in TLS over TCP, 0-RTT rejection is sticky.
+    ASSERT_EQ(-1, SSL_do_handshake(client_.get()));
+    ASSERT_EQ(SSL_ERROR_EARLY_DATA_REJECTED, SSL_get_error(client_.get(), -1));
+
+    // Finish up the client and server handshakes.
+    SSL_reset_early_data_reject(client_.get());
+    ASSERT_TRUE(CompleteHandshakesForQUIC());
+
+    // Both sides can now exchange 1-RTT data.
+    ExpectHandshakeSuccess();
+    EXPECT_TRUE(SSL_session_reused(client_.get()));
+    EXPECT_TRUE(SSL_session_reused(server_.get()));
+    EXPECT_FALSE(SSL_in_early_data(client_.get()));
+    EXPECT_FALSE(SSL_in_early_data(server_.get()));
+    EXPECT_FALSE(SSL_early_data_accepted(client_.get()));
+    EXPECT_FALSE(SSL_early_data_accepted(server_.get()));
   }
-
-  EXPECT_EQ(SSL_do_handshake(client_.get()), 1);
-  EXPECT_EQ(SSL_do_handshake(server_.get()), 1);
-  EXPECT_TRUE(transport_.SecretsMatch(ssl_encryption_application));
-  EXPECT_FALSE(transport_.client()->has_alert());
-  EXPECT_FALSE(transport_.server()->has_alert());
 }
 
 // Test only releasing data to QUIC one byte at a time on request, to maximize
@@ -5137,11 +5278,7 @@
     }
   }
 
-  EXPECT_EQ(SSL_do_handshake(client_.get()), 1);
-  EXPECT_EQ(SSL_do_handshake(server_.get()), 1);
-  EXPECT_TRUE(transport_.SecretsMatch(ssl_encryption_application));
-  EXPECT_FALSE(transport_.client()->has_alert());
-  EXPECT_FALSE(transport_.server()->has_alert());
+  ExpectHandshakeSuccess();
 }
 
 // Test buffering write data until explicit flushes.
@@ -5188,31 +5325,9 @@
   buffered_flights.Set(client_.get(), &client_flight);
   buffered_flights.Set(server_.get(), &server_flight);
 
-  for (;;) {
-    ASSERT_TRUE(ProvideHandshakeData(client_.get()));
-    int client_ret = SSL_do_handshake(client_.get());
-    if (client_ret != 1) {
-      ASSERT_EQ(client_ret, -1);
-      ASSERT_EQ(SSL_get_error(client_.get(), client_ret), SSL_ERROR_WANT_READ);
-    }
+  ASSERT_TRUE(CompleteHandshakesForQUIC());
 
-    ASSERT_TRUE(ProvideHandshakeData(server_.get()));
-    int server_ret = SSL_do_handshake(server_.get());
-    if (server_ret != 1) {
-      ASSERT_EQ(server_ret, -1);
-      ASSERT_EQ(SSL_get_error(server_.get(), server_ret), SSL_ERROR_WANT_READ);
-    }
-
-    if (client_ret == 1 && server_ret == 1) {
-      break;
-    }
-  }
-
-  EXPECT_EQ(SSL_do_handshake(client_.get()), 1);
-  EXPECT_EQ(SSL_do_handshake(server_.get()), 1);
-  EXPECT_TRUE(transport_.SecretsMatch(ssl_encryption_application));
-  EXPECT_FALSE(transport_.client()->has_alert());
-  EXPECT_FALSE(transport_.server()->has_alert());
+  ExpectHandshakeSuccess();
 }
 
 // Test that excess data at one level is rejected. That is, if a single
@@ -5262,13 +5377,13 @@
   EXPECT_EQ(ERR_GET_REASON(err), SSL_R_BUFFERED_MESSAGES_ON_CIPHER_CHANGE);
 
   // The client sends an alert in response to this.
-  ASSERT_TRUE(transport_.client()->has_alert());
-  EXPECT_EQ(transport_.client()->alert_level(), ssl_encryption_initial);
-  EXPECT_EQ(transport_.client()->alert(), SSL_AD_UNEXPECTED_MESSAGE);
+  ASSERT_TRUE(transport_->client()->has_alert());
+  EXPECT_EQ(transport_->client()->alert_level(), ssl_encryption_initial);
+  EXPECT_EQ(transport_->client()->alert(), SSL_AD_UNEXPECTED_MESSAGE);
 
   // Sanity-check client did get far enough to process the ServerHello and
   // install keys.
-  EXPECT_TRUE(transport_.client()->HasSecrets(ssl_encryption_handshake));
+  EXPECT_TRUE(transport_->client()->HasSecrets(ssl_encryption_handshake));
 }
 
 // Test that |SSL_provide_quic_data| will reject data at the wrong level.
@@ -5298,7 +5413,7 @@
   // Data cannot be provided at the next level.
   std::vector<uint8_t> data;
   ASSERT_TRUE(
-      transport_.client()->ReadHandshakeData(&data, ssl_encryption_initial));
+      transport_->client()->ReadHandshakeData(&data, ssl_encryption_initial));
   ASSERT_FALSE(SSL_provide_quic_data(client_.get(), ssl_encryption_handshake,
                                      data.data(), data.size()));
   ERR_clear_error();
@@ -5312,7 +5427,7 @@
 
   // Data cannot be provided at the previous level.
   ASSERT_TRUE(
-      transport_.client()->ReadHandshakeData(&data, ssl_encryption_handshake));
+      transport_->client()->ReadHandshakeData(&data, ssl_encryption_handshake));
   ASSERT_FALSE(SSL_provide_quic_data(client_.get(), ssl_encryption_initial,
                                      data.data(), data.size()));
 }
@@ -5357,32 +5472,13 @@
   ASSERT_TRUE(SSL_CTX_set_quic_method(client_ctx_.get(), &quic_method));
   ASSERT_TRUE(SSL_CTX_set_quic_method(server_ctx_.get(), &quic_method));
   ASSERT_TRUE(CreateClientAndServer());
-
-  for (;;) {
-    ASSERT_TRUE(ProvideHandshakeData(client_.get()));
-    int client_ret = SSL_do_handshake(client_.get());
-    if (client_ret != 1) {
-      ASSERT_EQ(client_ret, -1);
-      ASSERT_EQ(SSL_get_error(client_.get(), client_ret), SSL_ERROR_WANT_READ);
-    }
-
-    ASSERT_TRUE(ProvideHandshakeData(server_.get()));
-    int server_ret = SSL_do_handshake(server_.get());
-    if (server_ret != 1) {
-      ASSERT_EQ(server_ret, -1);
-      ASSERT_EQ(SSL_get_error(server_.get(), server_ret), SSL_ERROR_WANT_READ);
-    }
-
-    if (client_ret == 1 && server_ret == 1) {
-      break;
-    }
-  }
+  ASSERT_TRUE(CompleteHandshakesForQUIC());
 
   EXPECT_EQ(SSL_do_handshake(client_.get()), 1);
   EXPECT_EQ(SSL_do_handshake(server_.get()), 1);
-  EXPECT_TRUE(transport_.SecretsMatch(ssl_encryption_application));
-  EXPECT_FALSE(transport_.client()->has_alert());
-  EXPECT_FALSE(transport_.server()->has_alert());
+  EXPECT_TRUE(transport_->SecretsMatch(ssl_encryption_application));
+  EXPECT_FALSE(transport_->client()->has_alert());
+  EXPECT_FALSE(transport_->server()->has_alert());
 
   // Junk sent as part of post-handshake data should cause an error.
   uint8_t kJunk[] = {0x17, 0x0, 0x0, 0x4, 0xB, 0xE, 0xE, 0xF};
diff --git a/ssl/tls13_client.cc b/ssl/tls13_client.cc
index a7d0d89..12f4738 100644
--- a/ssl/tls13_client.cc
+++ b/ssl/tls13_client.cc
@@ -633,12 +633,16 @@
 
   if (ssl->s3->early_data_accepted) {
     hs->can_early_write = false;
-    ScopedCBB cbb;
-    CBB body;
-    if (!ssl->method->init_message(ssl, cbb.get(), &body,
-                                   SSL3_MT_END_OF_EARLY_DATA) ||
-        !ssl_add_message_cbb(ssl, cbb.get())) {
-      return ssl_hs_error;
+    // QUIC omits the EndOfEarlyData message. See draft-ietf-quic-tls-22,
+    // section 8.3.
+    if (ssl->quic_method == nullptr) {
+      ScopedCBB cbb;
+      CBB body;
+      if (!ssl->method->init_message(ssl, cbb.get(), &body,
+                                     SSL3_MT_END_OF_EARLY_DATA) ||
+          !ssl_add_message_cbb(ssl, cbb.get())) {
+        return ssl_hs_error;
+      }
     }
   }
 
@@ -911,6 +915,15 @@
       OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
       return false;
     }
+
+    // QUIC does not use the max_early_data_size parameter and always sets it to
+    // a fixed value. See draft-ietf-quic-tls-22, section 4.5.
+    if (ssl->quic_method != nullptr &&
+        session->ticket_max_early_data != 0xffffffff) {
+      ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER);
+      OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
+      return false;
+    }
   }
 
   // Generate a session ID for this session. Some callers expect all sessions to
diff --git a/ssl/tls13_enc.cc b/ssl/tls13_enc.cc
index b8bebe1..83b3d62 100644
--- a/ssl/tls13_enc.cc
+++ b/ssl/tls13_enc.cc
@@ -178,6 +178,8 @@
     // encryption itself will be handled by the SSL_QUIC_METHOD.
     traffic_aead =
         SSLAEADContext::CreatePlaceholderForQUIC(version, session->cipher);
+    // QUIC never installs early data keys at the TLS layer.
+    assert(level != ssl_encryption_early_data);
   }
 
   if (!traffic_aead) {
@@ -226,7 +228,7 @@
 static const char kTLS13LabelClientApplicationTraffic[] = "c ap traffic";
 static const char kTLS13LabelServerApplicationTraffic[] = "s ap traffic";
 
-bool tls13_derive_early_secrets(SSL_HANDSHAKE *hs) {
+bool tls13_derive_early_secret(SSL_HANDSHAKE *hs) {
   SSL *const ssl = hs->ssl;
   if (!derive_secret(hs, hs->early_traffic_secret(),
                      label_to_span(kTLS13LabelClientEarlyTraffic)) ||
@@ -234,26 +236,30 @@
                       hs->early_traffic_secret())) {
     return false;
   }
+  return true;
+}
 
-  if (ssl->quic_method != nullptr) {
-    if (ssl->server) {
-      if (!ssl->quic_method->set_encryption_secrets(
-              ssl, ssl_encryption_early_data, nullptr,
-              hs->early_traffic_secret().data(),
-              hs->early_traffic_secret().size())) {
-        OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_INTERNAL_ERROR);
-        return false;
-      }
-    } else {
-      if (!ssl->quic_method->set_encryption_secrets(
-              ssl, ssl_encryption_early_data, hs->early_traffic_secret().data(),
-              nullptr, hs->early_traffic_secret().size())) {
-        OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_INTERNAL_ERROR);
-        return false;
-      }
+bool tls13_set_early_secret_for_quic(SSL_HANDSHAKE *hs) {
+  SSL *const ssl = hs->ssl;
+  if (ssl->quic_method == nullptr) {
+    return true;
+  }
+  if (ssl->server) {
+    if (!ssl->quic_method->set_encryption_secrets(
+            ssl, ssl_encryption_early_data, hs->early_traffic_secret().data(),
+            /*write_secret=*/nullptr, hs->early_traffic_secret().size())) {
+      OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_INTERNAL_ERROR);
+      return false;
+    }
+  } else {
+    if (!ssl->quic_method->set_encryption_secrets(
+            ssl, ssl_encryption_early_data, /*read_secret=*/nullptr,
+            hs->early_traffic_secret().data(),
+            hs->early_traffic_secret().size())) {
+      OPENSSL_PUT_ERROR(SSL, SSL_R_QUIC_INTERNAL_ERROR);
+      return false;
     }
   }
-
   return true;
 }
 
diff --git a/ssl/tls13_server.cc b/ssl/tls13_server.cc
index f1891cf..a52a49c 100644
--- a/ssl/tls13_server.cc
+++ b/ssl/tls13_server.cc
@@ -146,7 +146,10 @@
     }
     session->ticket_age_add_valid = true;
     if (ssl->enable_early_data) {
-      session->ticket_max_early_data = kMaxEarlyDataAccepted;
+      // QUIC does not use the max_early_data_size parameter and always sets it
+      // to a fixed value. See draft-ietf-quic-tls-22, section 4.5.
+      session->ticket_max_early_data =
+          ssl->quic_method != nullptr ? 0xffffffff : kMaxEarlyDataAccepted;
     }
 
     static_assert(kNumTickets < 256, "Too many tickets");
@@ -442,7 +445,7 @@
   }
 
   if (ssl->s3->early_data_accepted) {
-    if (!tls13_derive_early_secrets(hs)) {
+    if (!tls13_derive_early_secret(hs)) {
       return ssl_hs_error;
     }
   } else if (hs->early_data_offered) {
@@ -468,6 +471,15 @@
     return ssl_hs_error;
   }
 
+  // Note we defer releasing the early traffic secret to QUIC until after ECDHE
+  // is resolved. The early traffic secret should be derived before the key
+  // schedule incorporates ECDHE, but doing so may reject 0-RTT. To avoid
+  // confusing the caller, we split derivation and releasing the secret to QUIC.
+  if (ssl->s3->early_data_accepted &&
+      !tls13_set_early_secret_for_quic(hs)) {
+    return ssl_hs_error;
+  }
+
   ssl->method->next_message(ssl);
   hs->tls13_state = state_send_server_hello;
   return ssl_hs_ok;
@@ -731,7 +743,8 @@
     // Finished early. See RFC 8446, section 4.6.1.
     static const uint8_t kEndOfEarlyData[4] = {SSL3_MT_END_OF_EARLY_DATA, 0,
                                                0, 0};
-    if (!hs->transcript.Update(kEndOfEarlyData)) {
+    if (ssl->quic_method == nullptr &&
+        !hs->transcript.Update(kEndOfEarlyData)) {
       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
       return ssl_hs_error;
     }
@@ -772,7 +785,9 @@
 static enum ssl_hs_wait_t do_read_second_client_flight(SSL_HANDSHAKE *hs) {
   SSL *const ssl = hs->ssl;
   if (ssl->s3->early_data_accepted) {
-    if (!tls13_set_traffic_key(ssl, ssl_encryption_early_data, evp_aead_open,
+    // QUIC never receives handshake messages under 0-RTT keys.
+    if (ssl->quic_method == nullptr &&
+        !tls13_set_traffic_key(ssl, ssl_encryption_early_data, evp_aead_open,
                                hs->early_traffic_secret())) {
       return ssl_hs_error;
     }
@@ -780,6 +795,19 @@
     hs->can_early_read = true;
     hs->in_early_data = true;
   }
+
+  // QUIC doesn't use an EndOfEarlyData message (draft-ietf-quic-tls-22,
+  // section 8.3), so we switch to client_handshake_secret before the early
+  // return.
+  if (ssl->quic_method != nullptr) {
+    if (!tls13_set_traffic_key(ssl, ssl_encryption_handshake, evp_aead_open,
+                               hs->client_handshake_secret())) {
+      return ssl_hs_error;
+    }
+    hs->tls13_state = state_read_client_certificate;
+    return ssl->s3->early_data_accepted ? ssl_hs_early_return : ssl_hs_ok;
+  }
+
   hs->tls13_state = state_process_end_of_early_data;
   return ssl->s3->early_data_accepted ? ssl_hs_read_end_of_early_data
                                       : ssl_hs_ok;