diff --git a/handler/src/main/java/io/netty/handler/ssl/OpenSsl.java b/handler/src/main/java/io/netty/handler/ssl/OpenSsl.java
index 5ecc42bd33..abb2b2e773 100644
--- a/handler/src/main/java/io/netty/handler/ssl/OpenSsl.java
+++ b/handler/src/main/java/io/netty/handler/ssl/OpenSsl.java
@@ -205,25 +205,29 @@ public final class OpenSsl {
                 long cert = 0;
                 long key = 0;
                 try {
-                    try {
-                        StringBuilder tlsv13Ciphers = new StringBuilder();
+                    // As we delegate to the KeyManager / TrustManager of the JDK we need to ensure it can actually
+                    // handle TLSv13 as otherwise we may see runtime exceptions
+                    if (SslProvider.isTlsv13Supported(SslProvider.JDK)) {
+                        try {
+                            StringBuilder tlsv13Ciphers = new StringBuilder();
 
-                        for (String cipher: TLSV13_CIPHERS) {
-                            String converted = CipherSuiteConverter.toOpenSsl(cipher, IS_BORINGSSL);
-                            if (converted != null) {
-                                tlsv13Ciphers.append(converted).append(':');
+                            for (String cipher : TLSV13_CIPHERS) {
+                                String converted = CipherSuiteConverter.toOpenSsl(cipher, IS_BORINGSSL);
+                                if (converted != null) {
+                                    tlsv13Ciphers.append(converted).append(':');
+                                }
+                            }
+                            if (tlsv13Ciphers.length() == 0) {
+                                tlsv13Supported = false;
+                            } else {
+                                tlsv13Ciphers.setLength(tlsv13Ciphers.length() - 1);
+                                SSLContext.setCipherSuite(sslCtx, tlsv13Ciphers.toString(), true);
+                                tlsv13Supported = true;
                             }
-                        }
-                        if (tlsv13Ciphers.length() == 0) {
-                            tlsv13Supported = false;
-                        } else {
-                            tlsv13Ciphers.setLength(tlsv13Ciphers.length() - 1);
-                            SSLContext.setCipherSuite(sslCtx, tlsv13Ciphers.toString() , true);
-                            tlsv13Supported = true;
-                        }
 
-                    } catch (Exception ignore) {
-                        tlsv13Supported = false;
+                        } catch (Exception ignore) {
+                            tlsv13Supported = false;
+                        }
                     }
 
                     SSLContext.setCipherSuite(sslCtx, "ALL", false);
@@ -342,7 +346,7 @@ public final class OpenSsl {
                 protocols.add(SslProtocols.TLS_v1_2);
             }
 
-            // This is only supported by java11 and later.
+            // This is only supported by java8u272 and later.
             if (tlsv13Supported && doesSupportProtocol(SSL.SSL_PROTOCOL_TLSV1_3, SSL.SSL_OP_NO_TLSv1_3)) {
                 protocols.add(SslProtocols.TLS_v1_3);
                 TLSV13_SUPPORTED = true;
diff --git a/handler/src/main/java/io/netty/handler/ssl/OpenSslTlsv13X509ExtendedTrustManager.java b/handler/src/main/java/io/netty/handler/ssl/OpenSslTlsv13X509ExtendedTrustManager.java
deleted file mode 100644
index c37f339b63..0000000000
--- a/handler/src/main/java/io/netty/handler/ssl/OpenSslTlsv13X509ExtendedTrustManager.java
+++ /dev/null
@@ -1,236 +0,0 @@
-/*
- * Copyright 2018 The Netty Project
- *
- * The Netty Project licenses this file to you under the Apache License,
- * version 2.0 (the "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at:
- *
- *   https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
- * License for the specific language governing permissions and limitations
- * under the License.
- */
-package io.netty.handler.ssl;
-
-import javax.net.ssl.SSLEngine;
-import javax.net.ssl.SSLPeerUnverifiedException;
-import javax.net.ssl.SSLSession;
-import javax.net.ssl.SSLSessionContext;
-import javax.net.ssl.X509ExtendedTrustManager;
-import java.net.Socket;
-import java.security.Principal;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-import java.util.List;
-
-/**
- * Provide a way to use {@code TLSv1.3} with Java versions prior to 11 by adding a
- * <a href="https://mail.openjdk.java.net/pipermail/security-dev/2018-September/018242.html>workaround</a> for the
- * default {@link X509ExtendedTrustManager} implementations provided by the JDK that can not handle a protocol version
- * of {@code TLSv1.3}.
- */
-final class OpenSslTlsv13X509ExtendedTrustManager extends X509ExtendedTrustManager {
-
-    private final X509ExtendedTrustManager tm;
-
-    private OpenSslTlsv13X509ExtendedTrustManager(X509ExtendedTrustManager tm) {
-        this.tm = tm;
-    }
-
-    static X509ExtendedTrustManager wrap(X509ExtendedTrustManager tm) {
-        if (!SslProvider.isTlsv13Supported(SslProvider.JDK) && SslProvider.isTlsv13Supported(SslProvider.OPENSSL)) {
-            return new OpenSslTlsv13X509ExtendedTrustManager(tm);
-        }
-        return tm;
-    }
-
-    @Override
-    public void checkClientTrusted(X509Certificate[] x509Certificates, String s, Socket socket)
-            throws CertificateException {
-        tm.checkClientTrusted(x509Certificates, s, socket);
-    }
-
-    @Override
-    public void checkServerTrusted(X509Certificate[] x509Certificates, String s, Socket socket)
-            throws CertificateException {
-        tm.checkServerTrusted(x509Certificates, s, socket);
-    }
-
-    private static SSLEngine wrapEngine(final SSLEngine engine) {
-        final SSLSession session = engine.getHandshakeSession();
-        if (session != null && SslProtocols.TLS_v1_3.equals(session.getProtocol())) {
-            return new JdkSslEngine(engine) {
-                @Override
-                public String getNegotiatedApplicationProtocol() {
-                    if (engine instanceof ApplicationProtocolAccessor) {
-                        return ((ApplicationProtocolAccessor) engine).getNegotiatedApplicationProtocol();
-                    }
-                    return super.getNegotiatedApplicationProtocol();
-                }
-
-                @Override
-                public SSLSession getHandshakeSession() {
-                    if (session instanceof ExtendedOpenSslSession) {
-                        final ExtendedOpenSslSession extendedOpenSslSession = (ExtendedOpenSslSession) session;
-                        return new ExtendedOpenSslSession(extendedOpenSslSession) {
-                            @Override
-                            public List getRequestedServerNames() {
-                                return extendedOpenSslSession.getRequestedServerNames();
-                            }
-
-                            @Override
-                            public String[] getPeerSupportedSignatureAlgorithms() {
-                                return extendedOpenSslSession.getPeerSupportedSignatureAlgorithms();
-                            }
-
-                            @Override
-                            public String getProtocol() {
-                                return SslProtocols.TLS_v1_2;
-                            }
-                        };
-                    } else {
-                        return new SSLSession() {
-                            @Override
-                            public byte[] getId() {
-                                return session.getId();
-                            }
-
-                            @Override
-                            public SSLSessionContext getSessionContext() {
-                                return session.getSessionContext();
-                            }
-
-                            @Override
-                            public long getCreationTime() {
-                                return session.getCreationTime();
-                            }
-
-                            @Override
-                            public long getLastAccessedTime() {
-                                return session.getLastAccessedTime();
-                            }
-
-                            @Override
-                            public void invalidate() {
-                                session.invalidate();
-                            }
-
-                            @Override
-                            public boolean isValid() {
-                                return session.isValid();
-                            }
-
-                            @Override
-                            public void putValue(String s, Object o) {
-                                session.putValue(s, o);
-                            }
-
-                            @Override
-                            public Object getValue(String s) {
-                               return session.getValue(s);
-                            }
-
-                            @Override
-                            public void removeValue(String s) {
-                                session.removeValue(s);
-                            }
-
-                            @Override
-                            public String[] getValueNames() {
-                                return session.getValueNames();
-                            }
-
-                            @Override
-                            public Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException {
-                                return session.getPeerCertificates();
-                            }
-
-                            @Override
-                            public Certificate[] getLocalCertificates() {
-                                return session.getLocalCertificates();
-                            }
-
-                            @Override
-                            public javax.security.cert.X509Certificate[] getPeerCertificateChain()
-                                    throws SSLPeerUnverifiedException {
-                                return session.getPeerCertificateChain();
-                            }
-
-                            @Override
-                            public Principal getPeerPrincipal() throws SSLPeerUnverifiedException {
-                                return session.getPeerPrincipal();
-                            }
-
-                            @Override
-                            public Principal getLocalPrincipal() {
-                                return session.getLocalPrincipal();
-                            }
-
-                            @Override
-                            public String getCipherSuite() {
-                                return session.getCipherSuite();
-                            }
-
-                            @Override
-                            public String getProtocol() {
-                                return SslProtocols.TLS_v1_2;
-                            }
-
-                            @Override
-                            public String getPeerHost() {
-                                return session.getPeerHost();
-                            }
-
-                            @Override
-                            public int getPeerPort() {
-                                return session.getPeerPort();
-                            }
-
-                            @Override
-                            public int getPacketBufferSize() {
-                                return session.getPacketBufferSize();
-                            }
-
-                            @Override
-                            public int getApplicationBufferSize() {
-                                return session.getApplicationBufferSize();
-                            }
-                        };
-                    }
-                }
-            };
-        }
-        return engine;
-    }
-
-    @Override
-    public void checkClientTrusted(X509Certificate[] x509Certificates, final String s, SSLEngine sslEngine)
-            throws CertificateException {
-        tm.checkClientTrusted(x509Certificates, s, wrapEngine(sslEngine));
-    }
-
-    @Override
-    public void checkServerTrusted(X509Certificate[] x509Certificates, String s, SSLEngine sslEngine)
-            throws CertificateException {
-        tm.checkServerTrusted(x509Certificates, s, wrapEngine(sslEngine));
-    }
-
-    @Override
-    public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
-        tm.checkClientTrusted(x509Certificates, s);
-    }
-
-    @Override
-    public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
-        tm.checkServerTrusted(x509Certificates, s);
-    }
-
-    @Override
-    public X509Certificate[] getAcceptedIssuers() {
-        return tm.getAcceptedIssuers();
-    }
-}
diff --git a/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslClientContext.java b/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslClientContext.java
index e63223bdb2..c0825882d0 100644
--- a/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslClientContext.java
+++ b/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslClientContext.java
@@ -218,7 +218,7 @@ public final class ReferenceCountedOpenSslClientContext extends ReferenceCounted
 
         ExtendedTrustManagerVerifyCallback(OpenSslEngineMap engineMap, X509ExtendedTrustManager manager) {
             super(engineMap);
-            this.manager = OpenSslTlsv13X509ExtendedTrustManager.wrap(manager);
+            this.manager = manager;
         }
 
         @Override
diff --git a/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslServerContext.java b/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslServerContext.java
index 649170dafc..3667e74e52 100644
--- a/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslServerContext.java
+++ b/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslServerContext.java
@@ -256,7 +256,7 @@ public final class ReferenceCountedOpenSslServerContext extends ReferenceCounted
 
         ExtendedTrustManagerVerifyCallback(OpenSslEngineMap engineMap, X509ExtendedTrustManager manager) {
             super(engineMap);
-            this.manager = OpenSslTlsv13X509ExtendedTrustManager.wrap(manager);
+            this.manager = manager;
         }
 
         @Override