diff --git a/.github/workflows/os-check.yml b/.github/workflows/os-check.yml
index c209b6505d..e1d64306b5 100644
--- a/.github/workflows/os-check.yml
+++ b/.github/workflows/os-check.yml
@@ -108,6 +108,18 @@ jobs:
           '--enable-lms=small,verify-only --enable-xmss=small,verify-only',
           '--enable-curve25519=nonblock --enable-ecc=nonblock --enable-sp=yes,nonblock CPPFLAGS="-DWOLFSSL_PUBLIC_MP -DWOLFSSL_DEBUG_NONBLOCK"',
           '--enable-certreq --enable-certext --enable-certgen --disable-secure-renegotiation-info CPPFLAGS="-DNO_TLS"',
+          # Minimal DTLS 1.3 client-only build. The SHA-224/384/512/3
+          # disables are deliberately omitted: --disable-sha384 alone
+          # trips a pre-existing wolfSSL bug in
+          # test_tls13_duplicate_extension (reproducible on clean master).
+          '--enable-dtls13 --disable-tlsv12 --disable-oldtls --disable-rsa --disable-dh
+            --disable-aescbc --disable-aesecb --disable-md5 --disable-chacha
+            --disable-poly1305 --disable-errorstrings --disable-asn-print
+            --disable-eccshamir --disable-base64encode --disable-coding --disable-sni
+            --enable-aesgcm=small --enable-sp-math --enable-sp=smallec256 --disable-sp-asm
+            CPPFLAGS=''-DNO_WOLFSSL_SERVER -DWOLFSSL_NO_TLS12 -DNO_SESSION_CACHE
+            -DWOLFSSL_AES_NO_UNROLL -DUSE_SLOW_SHA256 -DWOLFSSL_NO_ASYNC_IO
+            -DWOLFSSL_DTLS_ONLY'' ',
         ]
     name: make check linux
     if: github.repository_owner == 'wolfssl'
diff --git a/configure.ac b/configure.ac
index d324fb30d3..593afe2192 100644
--- a/configure.ac
+++ b/configure.ac
@@ -5736,9 +5736,26 @@ AC_ARG_ENABLE([dtls13],
     )
 if test "x$ENABLED_DTLS13" = "xyes"
 then
-        if test "x$ENABLED_DTLS" != "xyes" || test "x$ENABLED_TLS13" != "xyes"
+        # DTLSv1.3 implies TLS 1.3 and DTLS; auto-enable, but don't
+        # override explicit --disable.
+        if test "x$enable_tls13" = "xno" || test "x$ENABLED_TLS13" = "xno"
         then
-                AC_MSG_ERROR([You need to enable both DTLS and TLSv1.3 to use DTLSv1.3])
+                AC_MSG_ERROR([--enable-dtls13 requires TLS 1.3, but TLS 1.3 is disabled])
+        fi
+        if test "x$ENABLED_TLS13" != "xyes"
+        then
+                AC_MSG_NOTICE([DTLSv1.3 is enabled, enabling TLS 1.3])
+                ENABLED_TLS13=yes
+        fi
+        if test "x$enable_dtls" = "xno"
+        then
+                AC_MSG_ERROR([--enable-dtls13 requires DTLS, but --disable-dtls was given])
+        fi
+        if test "x$ENABLED_DTLS" != "xyes"
+        then
+                AC_MSG_NOTICE([DTLSv1.3 is enabled, enabling DTLS])
+                AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DTLS"
+                ENABLED_DTLS=yes
         fi
         if test "x$ENABLED_SEND_HRR_COOKIE" = "xundefined"
         then
diff --git a/src/internal.c b/src/internal.c
index c10b89d6a6..0f51815bfe 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -2703,14 +2703,19 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap)
         }
         #endif
     #else
-        ctx->CBIORecv = EmbedReceive;
-        ctx->CBIOSend = EmbedSend;
+        #ifndef WOLFSSL_DTLS_ONLY
+            ctx->CBIORecv = EmbedReceive;
+            ctx->CBIOSend = EmbedSend;
+        #endif
         #ifdef WOLFSSL_SESSION_EXPORT
             ctx->CBGetPeer = EmbedGetPeer;
             ctx->CBSetPeer = EmbedSetPeer;
         #endif
         #ifdef WOLFSSL_DTLS
-            if (method->version.major == DTLS_MAJOR) {
+            #ifndef WOLFSSL_DTLS_ONLY
+            if (method->version.major == DTLS_MAJOR)
+            #endif
+            {
                 ctx->CBIORecv   = EmbedReceiveFrom;
                 ctx->CBIOSend   = EmbedSendTo;
             }
@@ -9424,7 +9429,8 @@ void FreeSSL(WOLFSSL* ssl, void* heap)
      defined(WOLFSSL_SM4_GCM) || defined(WOLFSSL_SM4_CCM)) \
      && defined(HAVE_AEAD))
 
-#if defined(WOLFSSL_DTLS) || !defined(WOLFSSL_NO_TLS12)
+#if !defined(WOLFSSL_DTLS_ONLY) && \
+    (defined(WOLFSSL_DTLS) || !defined(WOLFSSL_NO_TLS12))
 static WC_INLINE void GetSEQIncrement(WOLFSSL* ssl, int verify, word32 seq[2])
 {
     if (verify) {
@@ -9444,7 +9450,7 @@ static WC_INLINE void GetSEQIncrement(WOLFSSL* ssl, int verify, word32 seq[2])
         }
     }
 }
-#endif /* WOLFSSL_DTLS || !WOLFSSL_NO_TLS12 */
+#endif /* !WOLFSSL_DTLS_ONLY && (WOLFSSL_DTLS || !WOLFSSL_NO_TLS12) */
 
 
 #ifdef WOLFSSL_DTLS
@@ -9531,6 +9537,9 @@ void WriteSEQ(WOLFSSL* ssl, int verifyOrder, byte* out)
 {
     word32 seq[2] = {0, 0};
 
+#ifdef WOLFSSL_DTLS_ONLY
+    DtlsGetSEQ(ssl, verifyOrder, seq);
+#else
     if (!ssl->options.dtls) {
         GetSEQIncrement(ssl, verifyOrder, seq);
     }
@@ -9539,6 +9548,7 @@ void WriteSEQ(WOLFSSL* ssl, int verifyOrder, byte* out)
         DtlsGetSEQ(ssl, verifyOrder, seq);
 #endif
     }
+#endif
 
     c32toa(seq[0], out);
     c32toa(seq[1], out + OPAQUE32_LEN);
diff --git a/src/wolfio.c b/src/wolfio.c
index fbea87f71d..98e719e8e2 100644
--- a/src/wolfio.c
+++ b/src/wolfio.c
@@ -402,6 +402,7 @@ int SslBioSend(WOLFSSL* ssl, char *buf, int sz, void *ctx)
 
 #ifdef USE_WOLFSSL_IO
 
+#ifndef WOLFSSL_DTLS_ONLY
 /* The receive embedded callback
  *  return : nb bytes read, or error
  */
@@ -450,6 +451,7 @@ int EmbedSend(WOLFSSL* ssl, char *buf, int sz, void *ctx)
 
     return sent;
 }
+#endif /* !WOLFSSL_DTLS_ONLY */
 
 
 #ifdef WOLFSSL_DTLS
diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c
index c2c982203f..8fb72e5598 100644
--- a/wolfcrypt/src/aes.c
+++ b/wolfcrypt/src/aes.c
@@ -1920,8 +1920,9 @@ static WARN_UNUSED_RESULT word32 col_mul(
     return GETBYTE(t, ia) ^ GETBYTE(t, ib) ^ t3 ^ tm;
 }
 
-#if defined(HAVE_AES_CBC) || defined(HAVE_AES_ECB) || \
-    defined(WOLFSSL_AES_DIRECT)
+#if defined(HAVE_AES_DECRYPT) && \
+    (defined(HAVE_AES_CBC) || defined(HAVE_AES_ECB) || \
+     defined(WOLFSSL_AES_DIRECT))
 static WARN_UNUSED_RESULT word32 inv_col_mul(
     word32 t, int i9, int ib, int id, int ie)
 {
@@ -1932,7 +1933,7 @@ static WARN_UNUSED_RESULT word32 inv_col_mul(
     byte t0 = t9 ^ tb ^ td;
     return t0 ^ AES_XTIME(AES_XTIME(AES_XTIME(t0 ^ te) ^ td ^ te) ^ tb ^ te);
 }
-#endif /* HAVE_AES_CBC || WOLFSSL_AES_DIRECT */
+#endif /* HAVE_AES_DECRYPT && (HAVE_AES_CBC || HAVE_AES_ECB || WOLFSSL_AES_DIRECT) */
 #endif /* WOLFSSL_AES_SMALL_TABLES */
 #endif
 #endif
diff --git a/wolfssl/wolfio.h b/wolfssl/wolfio.h
index 98415d012a..10c6f1a7bb 100644
--- a/wolfssl/wolfio.h
+++ b/wolfssl/wolfio.h
@@ -674,8 +674,10 @@ WOLFSSL_LOCAL int SslBioReceive(WOLFSSL* ssl, char* buf, int sz, void* ctx);
     /* default IO callbacks */
 
     #ifdef WOLFSSL_API_PREFIX_MAP
-        #define EmbedReceive wolfSSL_EmbedReceive
-        #define EmbedSend wolfSSL_EmbedSend
+        #ifndef WOLFSSL_DTLS_ONLY
+            #define EmbedReceive wolfSSL_EmbedReceive
+            #define EmbedSend wolfSSL_EmbedSend
+        #endif
         #ifdef WOLFSSL_DTLS
             #define EmbedReceiveFrom wolfSSL_EmbedReceiveFrom
             #define EmbedSendTo wolfSSL_EmbedSendTo
@@ -686,8 +688,10 @@ WOLFSSL_LOCAL int SslBioReceive(WOLFSSL* ssl, char* buf, int sz, void* ctx);
         #endif /* WOLFSSL_DTLS */
     #endif /* WOLFSSL_API_PREFIX_MAP */
 
+    #ifndef WOLFSSL_DTLS_ONLY
     WOLFSSL_API int EmbedReceive(WOLFSSL* ssl, char* buf, int sz, void* ctx);
     WOLFSSL_API int EmbedSend(WOLFSSL* ssl, char* buf, int sz, void* ctx);
+    #endif
 
     #ifdef WOLFSSL_DTLS
         #ifdef NUCLEUS_PLUS_2_3