diff --git a/ChangeLog b/ChangeLog
index 68fb6f5e96..dd72d5bee7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -43,6 +43,7 @@ Changes
    * Remove support for the library reference configuration for picocoin.
    * MD functions deprecated in 2.7.0 are no longer inline, to provide
      a migration path for those depending on the library's ABI.
+   * Clarify the documentation of mbedtls_ssl_setup.
 
 = mbed TLS 2.7.0 branch released 2018-02-03
 
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 51e843ae24..5ee9e9d977 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -971,8 +971,13 @@ void mbedtls_ssl_init( mbedtls_ssl_context *ssl );
  * \note           No copy of the configuration context is made, it can be
  *                 shared by many mbedtls_ssl_context structures.
  *
- * \warning        Modifying the conf structure after it has been used in this
- *                 function is unsupported!
+ * \warning        The conf structure will be accessed during the session.
+ *                 It must not be modified or freed as long as the session
+ *                 is active.
+ *
+ * \warning        This function must be called exactly once per context.
+ *                 Calling mbedtls_ssl_setup again is not supported, even
+ *                 if no session is active.
  *
  * \param ssl      SSL context
  * \param conf     SSL configuration to use