diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index e69091c3c..34c1565c9 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -1480,8 +1480,6 @@ read_record_header:
             msg_len != ext_offset + 2 + ext_len )
         {
             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
-            MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions",
-                              buf + ext_offset + 2, ext_len );
             return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
         }
     }
@@ -1489,6 +1487,7 @@ read_record_header:
         ext_len = 0;
 
     ext = buf + ext_offset + 2;
+    MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext, ext_len );
 
     while( ext_len != 0 )
     {
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index d3b7b3fdc..c07c8cac9 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -2488,6 +2488,14 @@ run_test    "Per-version suites: TLS 1.2" \
             0 \
             -c "Ciphersuite is TLS-RSA-WITH-AES-128-GCM-SHA256"
 
+# Test for ClientHello without extensions
+
+run_test    "CLientHello without extensions" \
+            "$P_SRV debug_level=3" \
+            "$G_CLI --priority=NORMAL:%NO_EXTENSIONS:%DISABLE_SAFE_RENEGOTIATION" \
+            0 \
+            -s "dumping 'client hello extensions' (0 bytes)"
+
 # Tests for mbedtls_ssl_get_bytes_avail()
 
 run_test    "mbedtls_ssl_get_bytes_avail: no extra data" \