diff --git a/include/polarssl/check_config.h b/include/polarssl/check_config.h
index 328b881ea..b4ae54144 100644
--- a/include/polarssl/check_config.h
+++ b/include/polarssl/check_config.h
@@ -257,6 +257,13 @@
 #error "Illegal protocol selection"
 #endif
 
+#if defined(POLARSSL_SSL_EXTENDED_MASTER_SECRET) && \
+    !defined(POLARSSL_SSL_PROTO_TLS1)   &&          \
+    !defined(POLARSSL_SSL_PROTO_TLS1_1) &&          \
+    !defined(POLARSSL_SSL_PROTO_TLS1_2)
+#error "POLARSSL_SSL_EXTENDED_MASTER_SECRET defined, but not all prerequsites"
+#endif
+
 #if defined(POLARSSL_SSL_SESSION_TICKETS) && defined(POLARSSL_SSL_TLS_C) && \
     ( !defined(POLARSSL_AES_C) || !defined(POLARSSL_SHA256_C) ||            \
       !defined(POLARSSL_CIPHER_MODE_CBC) )
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index 9ca39e71d..dfe2764e5 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -821,6 +821,10 @@
  * renegotiation), since it actually fixes a more fundamental issue in the
  * original SSL/TLS design, and has implications beyond Triple Handshake.
  *
+ * Requires: POLARSSL_SSL_PROTO_TLS1    or
+ *           POLARSSL_SSL_PROTO_TLS1_1  or
+ *           POLARSSL_SSL_PROTO_TLS1_2
+ *
  * Comment this macro to disable support for Extended Master Secret.
  */
 #define POLARSSL_SSL_EXTENDED_MASTER_SECRET