diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 6a6d8aed3..38546ac2d 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -158,6 +158,9 @@
 #define MBEDTLS_SSL_EXTENDED_MS_DISABLED        0
 #define MBEDTLS_SSL_EXTENDED_MS_ENABLED         1
 
+#define MBEDTLS_SSL_EXTENDED_MS_ENFORCE_DISABLED    0
+#define MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED     1
+
 #define MBEDTLS_SSL_CID_DISABLED                0
 #define MBEDTLS_SSL_CID_ENABLED                 1
 
@@ -2834,10 +2837,10 @@ void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems
  *
  * \param conf      SSL configuration
  * \param ems_enf   MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED or
- *                  MBEDTLS_SSL_EXTENDED_MS_DISABLED
+ *                  MBEDTLS_SSL_EXTENDED_MS_ENFORCE_DISABLED
  */
 void mbedtls_ssl_conf_extended_master_secret_enforce( mbedtls_ssl_config *conf,
-                                                        char ems_enf);
+                                                        char ems_enf );
 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
 
 #if defined(MBEDTLS_ARC4_C)
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 8cf9a497e..ca9131aea 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -8343,7 +8343,7 @@ void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems
 }
 
 void mbedtls_ssl_conf_extended_master_secret_enforce( mbedtls_ssl_config *conf,
-                                                        char ems_enf);
+                                                        char ems_enf );
 {
     conf->enforce_extended_master_secret = ems_enf;
 }
@@ -10301,6 +10301,8 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
 
 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
     conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
+    conf->enforce_extended_master_secret =
+        MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED;
 #endif
 
 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)