diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index be80de71d..64870b132 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -2090,6 +2090,21 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
     }
 #endif /* MBEDTLS_SSL_RENEGOTIATION */
 
+    /*
+     * Check if extended master secret is being enforced
+     */
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+    if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
+        ssl->conf->enforce_extended_master_secret ==
+        MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED &&
+        ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED)
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "Peer not offering extended master "
+                                    "secret, while it is enforced") );
+        handshake_failure = 1;
+    }
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
     if( handshake_failure == 1 )
     {
         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index c152bc3a8..0c65d8558 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -2024,6 +2024,21 @@ read_record_header:
     }
 #endif /* MBEDTLS_SSL_RENEGOTIATION */
 
+    /*
+     * Check if extended master secret is being enforced
+     */
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+    if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
+        ssl->conf->enforce_extended_master_secret ==
+        MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED &&
+        ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED)
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 1, ( "Peer not offering extended master "
+                                    "secret, while it is enforced") );
+        handshake_failure = 1;
+    }
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
     if( handshake_failure == 1 )
     {
         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index ca9131aea..27e55d93b 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -8343,7 +8343,7 @@ void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems
 }
 
 void mbedtls_ssl_conf_extended_master_secret_enforce( mbedtls_ssl_config *conf,
-                                                        char ems_enf );
+                                                        char ems_enf )
 {
     conf->enforce_extended_master_secret = ems_enf;
 }