diff --git a/ChangeLog.d/verify-result-default-value.txt b/ChangeLog.d/verify-result-default-value.txt
new file mode 100644
index 0000000000..d85dfe2670
--- /dev/null
+++ b/ChangeLog.d/verify-result-default-value.txt
@@ -0,0 +1,5 @@
+Changes
+   * Harden mbedtls_ssl_get_verify_result() against misuse.
+     Return failure if the handshake has not yet been attempted. Previously
+     the result of verification was zero-initialized so the function would
+     return 0 (indicating success).