diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 5305425e7b..9cba94e9b3 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -3364,6 +3364,10 @@ int mbedtls_ssl_conf_cid(mbedtls_ssl_config *conf, size_t len,
 /**
  * \brief          Set the X.509 security profile used for verification
  *
+ * \note           The restrictions are enforced for all certificates in the
+ *                 chain. However, signatures in the handshake are not covered
+ *                 by this setting but by \b mbedtls_ssl_conf_sig_hashes().
+ *
  * \param conf     SSL configuration
  * \param profile  Profile to use
  */