diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 2b123388e..2ac2cc696 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -1815,10 +1815,27 @@
 /**
  * \def MBEDTLS_SSL_DTLS_SRTP
  *
- * Enable support for DTLS-SRTP, RFC5764, use_srtp extension.
- * \note Only the dtls-srtp key material negotiation is supported.
- * Once negotiated, the key should be extracted using mbedtls_ssl_tls_prf()
- * and data should be transmitted via an SRTP stack.
+ * Enable support for negotation of DTLS-SRTP (RFC 5764)
+ * through the use_srtp extension.
+ *
+ * \note This feature provides the minimum functionality required
+ * to negotiate the use of DTLS-SRTP and to allow the derivation of
+ * the associated SRTP packet protection key material.
+ * In particular, the SRTP packet protection itself, as well as the
+ * demultiplexing of RTP and DTLS packets at the datagram layer
+ * (see Section 5 of RFC 5764), are not handled by this feature.
+ * Instead, after successful completion of a handshake negotiating
+ * the use of DTLS-SRTP, the extended key exporter API
+ * mbedtls_ssl_conf_export_keys_ext_cb() should be used to implement
+ * the key exporter described in Section 4.2 of RFC 5764 and RFC 5705
+ * (this is implemented in the SSL example programs).
+ * The resulting key should then be passed to an SRTP stack.
+ *
+ * Setting this option enables the runtime API
+ * mbedtls_ssl_conf_dtls_srtp_protection_profiles()
+ * through which the supported DTLS-SRTP protection
+ * profiles can be configured. You must call this API at
+ * runtime if you wish to negotiate the use of DTLS-SRTP.
  *
  * Requires: MBEDTLS_SSL_PROTO_DTLS
  *