diff --git a/handshake_client.go b/handshake_client.go
index 73ef3b8..e1cf0bc 100644
--- a/handshake_client.go
+++ b/handshake_client.go
@@ -464,6 +464,11 @@ func (c *Conn) loadSession(hello *clientHelloMsg) (
 			return nil, nil, nil, nil
 		}
 
+		// FIPS 140-3 requires the use of Extended Master Secret.
+		if !session.extMasterSecret && fips140tls.Required() {
+			return nil, nil, nil, nil
+		}
+
 		hello.sessionTicket = session.ticket
 		return
 	}
@@ -774,6 +779,10 @@ func (hs *clientHandshakeState) doFullHandshake() error {
 		hs.masterSecret = extMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret,
 			hs.finishedHash.Sum())
 	} else {
+		if fips140tls.Required() {
+			c.sendAlert(alertHandshakeFailure)
+			return errors.New("tls: FIPS 140-3 requires the use of Extended Master Secret")
+		}
 		hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret,
 			hs.hello.random, hs.serverHello.random)
 	}
diff --git a/handshake_server.go b/handshake_server.go
index 33c528f..333b179 100644
--- a/handshake_server.go
+++ b/handshake_server.go
@@ -18,6 +18,8 @@ import (
 	"hash"
 	"io"
 	"time"
+
+	"github.com/xtls/reality/fips140tls"
 )
 
 // serverHandshakeState contains details of a server handshake in progress.
@@ -512,6 +514,10 @@ func (hs *serverHandshakeState) checkForResumption() error {
 		// weird downgrade in client capabilities.
 		return errors.New("tls: session supported extended_master_secret but client does not")
 	}
+	if !sessionState.extMasterSecret && fips140tls.Required() {
+		// FIPS 140-3 requires the use of Extended Master Secret.
+		return nil
+	}
 
 	c.peerCertificates = sessionState.peerCertificates
 	c.ocspResponse = sessionState.ocspResponse
@@ -698,6 +704,10 @@ func (hs *serverHandshakeState) doFullHandshake() error {
 		hs.masterSecret = extMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret,
 			hs.finishedHash.Sum())
 	} else {
+		if fips140tls.Required() {
+			c.sendAlert(alertHandshakeFailure)
+			return errors.New("tls: FIPS 140-3 requires the use of Extended Master Secret")
+		}
 		hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret,
 			hs.clientHello.random, hs.hello.random)
 	}