diff --git a/handshake_server_tls13.go b/handshake_server_tls13.go
index 3552d89..76fff69 100644
--- a/handshake_server_tls13.go
+++ b/handshake_server_tls13.go
@@ -280,7 +280,7 @@ func (hs *serverHandshakeStateTLS13) processClientHello() error {
 			c.sendAlert(alertIllegalParameter)
 			return errors.New("tls: invalid X25519MLKEM768 client key share")
 		}
-		ciphertext, mlkemSharedSecret := k.Encapsulate()
+		mlkemSharedSecret, ciphertext := k.Encapsulate()
 		// draft-kwiatkowski-tls-ecdhe-mlkem-02, Section 3.1.3: "For
 		// X25519MLKEM768, the shared secret is the concatenation of the ML-KEM
 		// shared secret and the X25519 shared secret. The shared secret is 64