diff --git a/ChangeLog b/ChangeLog
index f4e71221b2..0f4df6525f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,16 @@ mbed TLS ChangeLog (Sorted per branch, date)
 
 = mbed TLS 2.1.10 branch released 2017-xx-xx
 
+Default behavior changes
+   * The truncated HMAC extension now conforms to RFC 6066. This means
+     that when both sides of a TLS connection negotiate the truncated
+     HMAC extension, Mbed TLS can now interoperate with other
+     compliant implementations, but this breaks interoperability with
+     prior versions of Mbed TLS. To restore the old behavior, enable
+     the (deprecated) option MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT in
+     config.h. Found by Andreas Walz (ivESK, Offenburg University of
+     Applied Sciences).
+
 Security
    * Fix heap corruption in implementation of truncated HMAC extension.
      When the truncated HMAC extension is enabled and CBC is used,
@@ -10,12 +20,10 @@ Security
      corrupt 6 bytes on the peer's heap, potentially leading to crash or
      remote code execution. This can be triggered remotely from either
      side in both TLS and DTLS.
-   * Fix implementation of truncated HMAC extension leading to
-     compatibility problems with non Mbed TLS peers and allowing
-     an offline 2^80 brute force attack on the HMAC key of a single,
-     uninterrupted (excluding session resumption) connection.
-     Found by Andreas Walz (ivESK, Offenburg University of Applied
-     Sciences).
+   * Fix implementation of the truncated HMAC extension. The previous
+     implementation allowed an offline 2^80 brute force attack on the
+     HMAC key of a single, uninterrupted connection (with no
+     resumption of the session).
 
 Bugfix
    * Fix ssl_parse_record_header() to silently discard invalid DTLS records