diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 2a879e8f3..48b5691de 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -1080,9 +1080,21 @@ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
     case SSL_SECOP_VERSION:
         if (!SSL_IS_DTLS(s)) {
 #ifndef OPENSSL_NO_NTLS
-            /* NTLS v1.1 not allowed at level 3 */
-            if (nid == NTLS_VERSION && level >= 3)
-                return 0;
+
+            /*-
+            * NTLS v1.1 not suitable for above level 3 
+            * https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html
+            * level 3: Security level set to 128 bits of security. 
+            * As a result RSA, DSA and DH keys shorter than 3072 bits and ECC 
+            * keys shorter than 256 bits are prohibited. In addition to the 
+            * level 2 exclusions cipher suites not offering forward secrecy are 
+            * prohibited. TLS versions below 1.1 are not  permitted. 
+            * Session tickets are disabled. 
+            */
+            if (nid == NTLS_VERSION) {
+                return level > 3 ? 0 : 1;
+            }
+
 #endif
             /* SSLv3 not allowed at level 2 */
             if (nid <= SSL3_VERSION && level >= 2)
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index cff0338cf..d88011b33 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -1770,7 +1770,11 @@ int ssl_set_version_bound(int method_version, int version, int *bound)
         return 1;
     }
 
+#ifndef OPENSSL_NO_NTLS
+    valid_tls = version >= NTLS1_1_VERSION && version <= TLS_MAX_VERSION_INTERNAL;
+#else
     valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION_INTERNAL;
+#endif
     valid_dtls =
         DTLS_VERSION_LE(version, DTLS_MAX_VERSION_INTERNAL) &&
         DTLS_VERSION_GE(version, DTLS1_BAD_VER);
diff --git a/test/ssl_ntls_api_test.c b/test/ssl_ntls_api_test.c
index 79f20e7b2..c6414428b 100644
--- a/test/ssl_ntls_api_test.c
+++ b/test/ssl_ntls_api_test.c
@@ -502,6 +502,10 @@ static int test_ntls_ssl_set_cert_pkey_api(int i)
     if (!TEST_true(ssl != NULL))
         goto err;
 
+    SSL_CTX_set_security_level(ctx, 2);
+    SSL_CTX_set_min_proto_version(ctx, NTLS1_1_VERSION);
+    SSL_CTX_set_max_proto_version(ctx, NTLS1_1_VERSION);
+
     if (!TEST_int_eq(SSL_use_sign_certificate(ssl, sign_cert), 1))
         goto err;