diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index c2d2d6244..151b9fc5c 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -2140,6 +2140,11 @@ static unsigned int parse_tls_flags(const char *val)
 {
 	unsigned int flags = 0;
 
+	/* Disable TLS v1.3 by default for now to avoid interoperability issue.
+	 * This can be enabled by default once the implementation has been fully
+	 * completed and tested with other implementations. */
+	flags |= TLS_CONN_DISABLE_TLSv1_3;
+
 	if (os_strstr(val, "[ALLOW-SIGN-RSA-MD5]"))
 		flags |= TLS_CONN_ALLOW_SIGN_RSA_MD5;
 	if (os_strstr(val, "[DISABLE-TIME-CHECKS]"))
@@ -2152,6 +2157,8 @@ static unsigned int parse_tls_flags(const char *val)
 		flags |= TLS_CONN_DISABLE_TLSv1_2;
 	if (os_strstr(val, "[DISABLE-TLSv1.3]"))
 		flags |= TLS_CONN_DISABLE_TLSv1_3;
+	if (os_strstr(val, "[ENABLE-TLSv1.3]"))
+		flags &= ~TLS_CONN_DISABLE_TLSv1_3;
 	if (os_strstr(val, "[SUITEB]"))
 		flags |= TLS_CONN_SUITEB;
 	if (os_strstr(val, "[SUITEB-NO-ECDH]"))
diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index d9f50b1f9..056a79035 100644
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -10,6 +10,7 @@
 
 #include "utils/common.h"
 #include "crypto/sha1.h"
+#include "crypto/tls.h"
 #include "radius/radius_client.h"
 #include "common/ieee802_11_defs.h"
 #include "common/eapol_common.h"
@@ -125,6 +126,11 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
 #ifdef CONFIG_MBO
 	bss->mbo_cell_data_conn_pref = -1;
 #endif /* CONFIG_MBO */
+
+	/* Disable TLS v1.3 by default for now to avoid interoperability issue.
+	 * This can be enabled by default once the implementation has been fully
+	 * completed and tested with other implementations. */
+	bss->tls_flags = TLS_CONN_DISABLE_TLSv1_3;
 }