From 18b9a491e116d27128eb17b6091ff4f837a04ed5 Mon Sep 17 00:00:00 2001
From: Jarno Lamsa <jarno.lamsa@arm.com>
Date: Mon, 10 Jun 2019 15:23:29 +0300
Subject: [PATCH] Disable the enforce flag by default

---
 include/mbedtls/ssl.h | 2 +-
 library/ssl_tls.c     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 38546ac2d..bc42d5495 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -2829,7 +2829,7 @@ void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems
 
 /**
  * \brief           Enable or disable Extended Master Secret enforcing.
- *                  (Default: MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED)
+ *                  (Default: MBEDTLS_SSL_EXTENDED_MS_ENFORCE_DISABLED)
  *
  * \note            This enforces the peer to use the Extended Master Secret
  *                  extension, if the option is enabled and the peer doesn't
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 27e55d93b..1f8690a64 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -10302,7 +10302,7 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
     conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
     conf->enforce_extended_master_secret =
-        MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED;
+        MBEDTLS_SSL_EXTENDED_MS_ENFORCE_DISABLED;
 #endif
 
 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)