diff --git a/variants/esp32/esp32-common.ini b/variants/esp32/esp32-common.ini
index ec2669621..4f302694a 100644
--- a/variants/esp32/esp32-common.ini
+++ b/variants/esp32/esp32-common.ini
@@ -195,7 +195,7 @@ custom_sdkconfig =
   ;
   ; MBEDTLS
   ;
-   and =16384 ; do not change, affects buffer allocation and 
+  CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=16384 ; do not change, affects buffer allocation (PR10535)
   CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_FULL=n
   CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_CMN=y
   ; Switch to custom CA bundle (for Meshtastic MQTT/etc) in the future
@@ -205,13 +205,15 @@ custom_sdkconfig =
   CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_MAX_CERTS=1
   ; #shame
   CONFIG_MBEDTLS_ALLOW_WEAK_CERTIFICATE_VERIFICATION=y
-  ; These four options must match the precompiled framework-arduinoespressif32-libs
-  ; which was built with all four enabled. Disabling them changes mbedtls_ssl_context
+  ; These six options must match the precompiled framework-arduinoespressif32-libs
+  ; which was built with all six enabled. Disabling them changes mbedtls_ssl_context
   ; struct layout, causing an ABI mismatch and a crash in mbedtls_ssl_set_hostname.
   CONFIG_MBEDTLS_SSL_RENEGOTIATION=y
   CONFIG_MBEDTLS_SSL_PROTO_DTLS=y
   CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS=y
   CONFIG_MBEDTLS_SERVER_SSL_SESSION_TICKETS=y
+  CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE=y
+  CONFIG_MBEDTLS_SSL_ALPN=y
   CONFIG_MBEDTLS_PKCS7_C=n
   CONFIG_MBEDTLS_CAMELLIA_C=n
   CONFIG_MBEDTLS_CCM_C=n