diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 7f38ab9e0e..c8a0d99a2e 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -696,7 +696,7 @@
  * to enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including
  * them explicitly.
  *
- * A man-in-the browser attacker can recover authentication tokens sent through
+ * A man-in-the-browser attacker can recover authentication tokens sent through
  * a TLS connection using a 3DES based cipher suite (see "On the Practical
  * (In-)Security of 64-bit Block Ciphers" by Karthikeyan Bhargavan and Gaëtan
  * Leurent, see https://sweet32.info/SWEET32_CCS16.pdf). If this attack falls
diff --git a/tests/compat.sh b/tests/compat.sh
index cadc5780b3..c3939b884c 100755
--- a/tests/compat.sh
+++ b/tests/compat.sh
@@ -62,6 +62,7 @@ FILTER=""
 #   avoid plain DES but keep 3DES-EDE-CBC (mbedTLS), DES-CBC3 (OpenSSL)
 # - ARIA: not in default config.h + requires OpenSSL >= 1.1.1
 # - ChachaPoly: requires OpenSSL >= 1.1.0
+# - 3DES: not in default config
 EXCLUDE='NULL\|DES-CBC-\|RC4\|3DES\|ARCFOUR\|ARIA\|CHACHA20-POLY1305'
 VERBOSE=""
 MEMCHECK=0