diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 1a63173204..8d5e39fe3a 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -2354,12 +2354,8 @@ static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
     const mbedtls_ssl_ciphersuite_t *suite = NULL;
     const mbedtls_cipher_info_t *cipher = NULL;
 
-    if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
-        ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
-    {
-        *olen = 0;
-        return;
-    }
+    if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
+        ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
 
     /*
      * RFC 7366: "If a server receives an encrypt-then-MAC request extension
@@ -2371,6 +2367,11 @@ static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
                     ssl->session_negotiate->ciphersuite ) ) == NULL ||
         ( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL ||
         cipher->mode != MBEDTLS_MODE_CBC )
+    {
+        ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
+    }
+
+    if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED )
     {
         *olen = 0;
         return;