diff --git a/src/tls13.c b/src/tls13.c
index f4a6ddcdb..08e2adefb 100644
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -3987,22 +3987,28 @@ static int DoPreSharedKeys(WOLFSSL* ssl, byte* suite, int* usingPSK, int* first)
         /* Decode the identity. */
         if (DoClientTicket(ssl, current->identity, current->identityLen)
                                                      == WOLFSSL_TICKET_RET_OK) {
-            word32 now;
-            int    diff;
+            word32  now;
+            sword64 diff;
 
             now = TimeNowInMilliseconds();
             if (now == (word32)GETTIME_ERROR)
                 return now;
-            if (now < ssl->session.ticketSeen)
-                diff = (0xFFFFFFFFU - ssl->session.ticketSeen) + 1 + now;
-            else
-                diff = now - ssl->session.ticketSeen;
-            diff -= current->ticketAge - ssl->session.ticketAdd;
+            /* Difference between now and time ticket constructed
+             * (from decrypted ticket). */
+            diff = now;
+            diff -= ssl->session.ticketSeen;
+            if (diff > (sword64)ssl->timeout * 1000 ||
+                diff > (sword64)TLS13_MAX_TICKET_AGE * 1000) {
+                current = current->next;
+                continue;
+            }
+            /* Subtract client's ticket age and unobfuscate. */
+            diff -= current->ticketAge;
+            diff += ssl->session.ticketAdd;
             /* Check session and ticket age timeout.
              * Allow +/- 1000 milliseconds on ticket age.
              */
-            if (diff > (int)ssl->timeout * 1000 || diff < -1000 ||
-                                     diff - MAX_TICKET_AGE_SECS * 1000 > 1000) {
+            if (diff < -1000 || diff - MAX_TICKET_AGE_DIFF * 1000 > 1000) {
                 current = current->next;
                 continue;
             }
diff --git a/wolfssl/internal.h b/wolfssl/internal.h
index b4313b7fe..369fd32a7 100644
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -1490,11 +1490,12 @@ enum Misc {
     DTLS_TIMEOUT_MAX        = 64, /* default max timeout for DTLS receive */
     DTLS_TIMEOUT_MULTIPLIER =  2, /* default timeout multiplier for DTLS recv */
 
-    NULL_TERM_LEN      =   1,  /* length of null '\0' termination character */
-    MAX_PSK_KEY_LEN    =  64,  /* max psk key supported */
-    MIN_PSK_ID_LEN     =   6,  /* min length of identities */
-    MIN_PSK_BINDERS_LEN=  33,  /* min length of binders */
-    MAX_TICKET_AGE_SECS=  10,  /* maximum ticket age in seconds */
+    NULL_TERM_LEN        =   1,  /* length of null '\0' termination character */
+    MAX_PSK_KEY_LEN      =  64,  /* max psk key supported */
+    MIN_PSK_ID_LEN       =   6,  /* min length of identities */
+    MIN_PSK_BINDERS_LEN  =  33,  /* min length of binders */
+    MAX_TICKET_AGE_DIFF  =  10,  /* maximum ticket age difference in seconds */
+    TLS13_MAX_TICKET_AGE =  7*24*60*60,  /* max ticket age in seconds, 7 days */
 
 #ifndef MAX_WOLFSSL_FILE_SIZE
     MAX_WOLFSSL_FILE_SIZE = 1024ul * 1024ul * 4,  /* 4 mb file size alloc limit */