diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 3ab362921..f93abefa7 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -1162,14 +1162,19 @@ int ssl_set_dh_param_ctx( ssl_context *ssl, dhm_context *dhm_ctx );
 #if defined(POLARSSL_KEY_EXCHANGE__SOME__ECDHE_ENABLED) && \
     defined(POLARSSL_SSL_SET_CURVES)
 /**
- * \brief          Set the allowed ECDH curves.
+ * \brief          Set the allowed curves in order of preference.
  *                 (Default: all defined curves.)
  *
- *                 The sequence of the curves in the list also determines the
- *                 handshake curve preference.
+ *                 On server: this only affects selection of the ECDHE curve;
+ *                 the curves used for ECDH and ECDSA are determined by the
+ *                 list of available certificates instead.
+ *
+ *                 On client: this affects the list of curves offered for any
+ *                 use. The server can override our preferences.
  *
  * \param ssl      SSL context
- * \param curves   Zero terminated list of the allowed ECDH curves
+ * \param curves   Ordered list of allowed curves,
+ *                 terminated by POLARSSL_ECP_DP_NONE.
  */
 void ssl_set_curves( ssl_context *ssl, const ecp_group_id *curves );
 #endif
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 62df85747..fa3b7a89f 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -233,19 +233,26 @@ static void ssl_write_supported_elliptic_curves_ext( ssl_context *ssl,
     unsigned char *p = buf;
     unsigned char *elliptic_curve_list = p + 6;
     size_t elliptic_curve_len = 0;
-    const ecp_curve_info *curve;
-    ((void) ssl);
+    const ecp_curve_info *info;
+#if defined(POLARSSL_SSL_SET_CURVES)
+    const ecp_group_id *grp_id;
+#endif
 
     *olen = 0;
 
     SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) );
 
-    for( curve = ecp_curve_list();
-         curve->grp_id != POLARSSL_ECP_DP_NONE;
-         curve++ )
+#if defined(POLARSSL_SSL_SET_CURVES)
+    for( grp_id = ssl->curve_list; *grp_id != POLARSSL_ECP_DP_NONE; grp_id++ )
     {
-        elliptic_curve_list[elliptic_curve_len++] = curve->tls_id >> 8;
-        elliptic_curve_list[elliptic_curve_len++] = curve->tls_id & 0xFF;
+        info = ecp_curve_info_from_grp_id( *grp_id );
+#else
+    for( info = ecp_curve_list(); info->grp_id != POLARSSL_ECP_DP_NONE; info++ )
+    {
+#endif
+
+        elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8;
+        elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF;
     }
 
     if( elliptic_curve_len == 0 )