diff --git a/ChangeLog b/ChangeLog
index 2e5a54f89..68d27472c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -85,6 +85,7 @@ Default behavior changes
      enabled in the default configuration, this is only noticeable if using a
      custom config.h
    * Default DHM parameters server-side upgraded from 1024 to 2048 bits.
+   * Negotiation of truncated HMAC is now disabled by default on server too.
 
 Reauirement changes
    * The minimum MSVC version required is now 2010 (better C99 support).
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 4782cd539..4c1f68529 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1863,8 +1863,7 @@ int mbedtls_ssl_set_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_co
 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
 /**
  * \brief          Activate negotiation of truncated HMAC
- *                 (Default: MBEDTLS_SSL_TRUNC_HMAC_DISABLED on client,
- *                           MBEDTLS_SSL_TRUNC_HMAC_ENABLED on server.)
+ *                 (Default: MBEDTLS_SSL_TRUNC_HMAC_DISABLED)
  *
  * \param conf     SSL configuration
  * \param truncate Enable or disable (MBEDTLS_SSL_TRUNC_HMAC_ENABLED or
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 114f5ae30..72bbbd7fb 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -6618,11 +6618,6 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
     }
 #endif
 
-#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_TRUNCATED_HMAC)
-    if( endpoint == MBEDTLS_SSL_IS_SERVER )
-        conf->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
-#endif
-
     conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
     conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
     conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index ae324dbc8..510000a30 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -626,8 +626,8 @@ run_test    "Truncated HMAC: client enabled, server default" \
             "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \
              trunc_hmac=1" \
             0 \
-            -S "dumping 'computed mac' (20 bytes)" \
-            -s "dumping 'computed mac' (10 bytes)"
+            -s "dumping 'computed mac' (20 bytes)" \
+            -S "dumping 'computed mac' (10 bytes)"
 
 run_test    "Truncated HMAC: client enabled, server disabled" \
             "$P_SRV debug_level=4 trunc_hmac=0" \