diff --git a/configs/baremetal.h b/configs/baremetal.h
index 80ed74c36..e49a52c71 100644
--- a/configs/baremetal.h
+++ b/configs/baremetal.h
@@ -160,6 +160,10 @@
 /* Fault Injection Countermeasures */
 #define MBEDTLS_FI_COUNTERMEASURES
 #define MBEDTLS_CCM_SHUFFLING_MASKING
+/* Further optimizations */
+#define MBEDTLS_SSL_FREE_SERVER_CERTIFICATE
+#define MBEDTLS_IMMEDIATE_TRANSMISSION
+#define MBEDTLS_EARLY_KEY_COMPUTATION
 
 #if defined(MBEDTLS_USER_CONFIG_FILE)
 #include MBEDTLS_USER_CONFIG_FILE
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 872899c03..c675cbde1 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -43,8 +43,8 @@
 /**
  * \def MBEDTLS_DELAYED_SERVER_CERT_VERIFICATION
  *
- * Enable the delayed verification of server 
- * certificates on the client side. 
+ * Enable the delayed verification of server
+ * certificates on the client side.
  *
  */
 #define MBEDTLS_DELAYED_SERVER_CERT_VERIFICATION
@@ -1612,7 +1612,7 @@
  * but not afterwards.
  *
  */
-#define MBEDTLS_SSL_FREE_SERVER_CERTIFICATE
+//#define MBEDTLS_SSL_FREE_SERVER_CERTIFICATE
 
 
 /**
@@ -1622,7 +1622,7 @@
  *
  * Requires: MBEDTLS_SSL_PROTO_DTLS
  */
-#define MBEDTLS_IMMEDIATE_TRANSMISSION
+//#define MBEDTLS_IMMEDIATE_TRANSMISSION
 
 /**
  * \def MBEDTLS_EARLY_KEY_COMPUTATION
@@ -1630,9 +1630,9 @@
  * Create ephemeral Diffie-Hellman key pair after
  * the ClientHello has been successfully transmitted.
  *
- * Requires: 
+ * Requires:
  */
-#define MBEDTLS_EARLY_KEY_COMPUTATION
+//#define MBEDTLS_EARLY_KEY_COMPUTATION
 
 /**
  * \def MBEDTLS_SSL_HW_RECORD_ACCEL
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 78637bad3..0a013cab6 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -7989,7 +7989,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
 
 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) && defined(MBEDTLS_DELAYED_SERVER_CERT_VERIFICATION)
 /* ssl_parse_delayed_certificate_verify() defines a wrapper around ssl_parse_certificate_verify
- * to call it in ssl_cli.c rather than purely internal to ssl_tls.c. 
+ * to call it in ssl_cli.c rather than purely internal to ssl_tls.c.
  */
 int ssl_parse_delayed_certificate_verify( mbedtls_ssl_context *ssl,
                                          int authmode,
@@ -8003,7 +8003,7 @@ int ssl_parse_delayed_certificate_verify( mbedtls_ssl_context *ssl,
                                           rs_ctx ) );
 
 }
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED && MBEDTLS_DELAYED_SERVER_CERT_VERIFICATION */
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED && MBEDTLS_DELAYED_SERVER_CERT_VERIFICATION */
 
 
 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
diff --git a/scripts/config.pl b/scripts/config.pl
index af85824f1..f3b9da6a9 100755
--- a/scripts/config.pl
+++ b/scripts/config.pl
@@ -61,6 +61,10 @@
 #   MBEDTLS_VALIDATE_SSL_KEYS_INTEGRITY
 #   MBEDTLS_OPTIMIZE_TINYCRYPT_ASM
 #   MBEDTLS_AES_128_BIT_MASKED
+#   MBEDTLS_PLATFORM_FAULT_CALLBACKS
+#   MBEDTLS_SSL_FREE_SERVER_CERTIFICATE
+#   MBEDTLS_IMMEDIATE_TRANSMISSION
+#   MBEDTLS_EARLY_KEY_COMPUTATION
 #   and any symbol beginning _ALT
 #
 # The baremetal configuration excludes options that require a library or
@@ -149,6 +153,9 @@ MBEDTLS_VALIDATE_SSL_KEYS_INTEGRITY
 MBEDTLS_OPTIMIZE_TINYCRYPT_ASM
 MBEDTLS_AES_128_BIT_MASKED
 MBEDTLS_PLATFORM_FAULT_CALLBACKS
+MBEDTLS_SSL_FREE_SERVER_CERTIFICATE
+MBEDTLS_IMMEDIATE_TRANSMISSION
+MBEDTLS_EARLY_KEY_COMPUTATION
 _ALT\s*$
 );