diff --git a/neqo-crypto/bindings/bindings.toml b/neqo-crypto/bindings/bindings.toml
index 72c6d524d5..5d692f78b5 100644
--- a/neqo-crypto/bindings/bindings.toml
+++ b/neqo-crypto/bindings/bindings.toml
@@ -153,6 +153,7 @@ functions = [
     "CERT_DestroyCertificate",
     "CERT_DestroyCertList",
     "CERT_GetCertificateDer",
+    "NSS_SetAlgorithmPolicy",
     "PK11_CipherOp",
     "PK11_CreateContextBySymKey",
     "PK11_DestroyContext",
@@ -208,6 +209,7 @@ variables = [
     "CKM_EC_KEY_PAIR_GEN",
     "CKM_HKDF_DERIVE",
     "CKM_INVALID_MECHANISM",
+    "NSS_USE_ALG_IN_SSL_KX",
     "PK11_ATTR_INSENSITIVE",
     "PK11_ATTR_PRIVATE",
     "PK11_ATTR_PUBLIC",
diff --git a/neqo-crypto/src/lib.rs b/neqo-crypto/src/lib.rs
index 2db985e8ee..9b8a478294 100644
--- a/neqo-crypto/src/lib.rs
+++ b/neqo-crypto/src/lib.rs
@@ -122,6 +122,13 @@ pub fn init() -> Res<()> {
 
         secstatus_to_res(unsafe { nss::NSS_NoDB_Init(null()) })?;
         secstatus_to_res(unsafe { nss::NSS_SetDomesticPolicy() })?;
+        secstatus_to_res(unsafe {
+            p11::NSS_SetAlgorithmPolicy(
+                p11::SECOidTag::SEC_OID_XYBER768D00,
+                p11::NSS_USE_ALG_IN_SSL_KX,
+                0,
+            )
+        })?;
 
         Ok(NssLoaded::NoDb)
     });
@@ -170,6 +177,13 @@ pub fn init_db<P: Into<PathBuf>>(dir: P) -> Res<()> {
         })?;
 
         secstatus_to_res(unsafe { nss::NSS_SetDomesticPolicy() })?;
+        secstatus_to_res(unsafe {
+            p11::NSS_SetAlgorithmPolicy(
+                p11::SECOidTag::SEC_OID_XYBER768D00,
+                p11::NSS_USE_ALG_IN_SSL_KX,
+                0,
+            )
+        })?;
         secstatus_to_res(unsafe {
             ssl::SSL_ConfigServerSessionIDCache(1024, 0, 0, dircstr.as_ptr())
         })?;
diff --git a/neqo-transport/src/crypto.rs b/neqo-transport/src/crypto.rs
index 60d056f2d2..aca76b8bb9 100644
--- a/neqo-transport/src/crypto.rs
+++ b/neqo-transport/src/crypto.rs
@@ -21,7 +21,7 @@ use neqo_crypto::{
     TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_CT_HANDSHAKE,
     TLS_EPOCH_APPLICATION_DATA, TLS_EPOCH_HANDSHAKE, TLS_EPOCH_INITIAL, TLS_EPOCH_ZERO_RTT,
     TLS_GRP_EC_SECP256R1, TLS_GRP_EC_SECP384R1, TLS_GRP_EC_SECP521R1, TLS_GRP_EC_X25519,
-    TLS_VERSION_1_3,
+    TLS_GRP_KEM_XYBER768D00, TLS_VERSION_1_3,
 };
 
 use crate::{
@@ -76,20 +76,36 @@ impl Crypto {
             TLS_AES_256_GCM_SHA384,
             TLS_CHACHA20_POLY1305_SHA256,
         ])?;
-        agent.set_groups(&[
-            TLS_GRP_EC_X25519,
-            TLS_GRP_EC_SECP256R1,
-            TLS_GRP_EC_SECP384R1,
-            TLS_GRP_EC_SECP521R1,
-        ])?;
-        agent.send_additional_key_shares(1)?;
+        match &mut agent {
+            Agent::Server(c) => {
+                // Clients do not send xyber shares by default, but servers should accept them.
+                c.set_groups(&[
+                    TLS_GRP_KEM_XYBER768D00,
+                    TLS_GRP_EC_X25519,
+                    TLS_GRP_EC_SECP256R1,
+                    TLS_GRP_EC_SECP384R1,
+                    TLS_GRP_EC_SECP521R1,
+                ])?;
+            }
+            Agent::Client(c) => {
+                c.set_groups(&[
+                    TLS_GRP_EC_X25519,
+                    TLS_GRP_EC_SECP256R1,
+                    TLS_GRP_EC_SECP384R1,
+                    TLS_GRP_EC_SECP521R1,
+                ])?;
+
+                // Configure clients to send both X25519 and P256 to reduce
+                // the rate of HRRs.
+                c.send_additional_key_shares(1)?;
+
+                // Always enable 0-RTT on the client, but the server needs
+                // more configuration passed to server_enable_0rtt.
+                c.enable_0rtt()?;
+            }
+        }
         agent.set_alpn(&protocols)?;
         agent.disable_end_of_early_data()?;
-        // Always enable 0-RTT on the client, but the server needs
-        // more configuration passed to server_enable_0rtt.
-        if let Agent::Client(c) = &mut agent {
-            c.enable_0rtt()?;
-        }
         let extension = match version {
             Version::Version2 | Version::Version1 => 0x39,
             Version::Draft29 | Version::Draft30 | Version::Draft31 | Version::Draft32 => 0xffa5,
diff --git a/neqo-transport/tests/connection.rs b/neqo-transport/tests/connection.rs
index 1490fe02e8..35167d0abd 100644
--- a/neqo-transport/tests/connection.rs
+++ b/neqo-transport/tests/connection.rs
@@ -277,3 +277,26 @@ fn overflow_crypto() {
     }
     panic!("Was not able to overflow the crypto buffer");
 }
+
+#[test]
+fn test_handshake_xyber() {
+    let mut client = default_client();
+    let mut server = default_server();
+
+    client
+        .set_groups(&[neqo_crypto::TLS_GRP_KEM_XYBER768D00])
+        .ok();
+    client.send_additional_key_shares(0).ok();
+
+    test_fixture::handshake(&mut client, &mut server);
+    assert_eq!(*client.state(), State::Confirmed);
+    assert_eq!(*server.state(), State::Confirmed);
+    assert_eq!(
+        client.tls_info().unwrap().key_exchange(),
+        neqo_crypto::TLS_GRP_KEM_XYBER768D00
+    );
+    assert_eq!(
+        server.tls_info().unwrap().key_exchange(),
+        neqo_crypto::TLS_GRP_KEM_XYBER768D00
+    );
+}