diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index 3eb37b8c3..e188c9706 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -321,6 +321,18 @@
 #define MBEDTLS_SSL_TRANSPORT_ELSE                  /* empty: no other branch */
 #endif /* TLS and/or DTLS */
 
+/* Check if the use of the ExtendedMasterSecret extension
+ * is enforced at compile-time. If so, we don't need to
+ * track its status in the handshake parameters. */
+#if defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET)         && \
+    defined(MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET) && \
+    MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET ==                  \
+      MBEDTLS_SSL_EXTENDED_MS_ENABLED                        && \
+    MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET ==          \
+      MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED
+#define MBEDTLS_SSL_EXTENDED_MS_ENFORCED
+#endif
+
 #ifdef __cplusplus
 extern "C" {
 #endif