diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c
index c0ddfa1e5a..f9c54fedf2 100644
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@@ -1770,10 +1770,16 @@ static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl,
         return MBEDTLS_ERR_SSL_DECODE_ERROR;
     }
 
+    /* When FFDH is enabled, the array handshake->xxdh_psa_peer_key size takes into account
+       the sizes of the FFDH keys which are at least 2048 bits.
+       The size of the array is thus greater than 256 bytes which is greater than any
+       possible value of ecpoint_len (type uint8_t) and the check below can be skipped.*/
 #if !defined(PSA_WANT_ALG_FFDH)
     if (ecpoint_len > sizeof(handshake->xxdh_psa_peerkey)) {
         return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
     }
+#else
+    MBEDTLS_STATIC_ASSERT(sizeof(handshake->xxdh_psa_peerkey) >= UINT8_MAX, "peer key buffer too small");
 #endif
 
     memcpy(handshake->xxdh_psa_peerkey, *p, ecpoint_len);
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 9d302d6eee..d5da55ab63 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -3909,12 +3909,18 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
             return MBEDTLS_ERR_SSL_DECODE_ERROR;
         }
 
+    /* When FFDH is enabled, the array handshake->xxdh_psa_peer_key size takes into account
+       the sizes of the FFDH keys which are at least 2048 bits.
+       The size of the array is thus greater than 256 bytes which is greater than any
+       possible value of ecpoint_len (type uint8_t) and the check below can be skipped.*/
 #if !defined(PSA_WANT_ALG_FFDH)
         if (ecpoint_len > sizeof(handshake->xxdh_psa_peerkey)) {
             psa_destroy_key(handshake->xxdh_psa_privkey);
             handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
             return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
         }
+#else
+    MBEDTLS_STATIC_ASSERT(sizeof(handshake->xxdh_psa_peerkey) >= UINT8_MAX, "peer key buffer too small");
 #endif
 
         memcpy(handshake->xxdh_psa_peerkey, p, ecpoint_len);
diff --git a/tests/scripts/generate_tls13_compat_tests.py b/tests/scripts/generate_tls13_compat_tests.py
index 77f337404c..05d80a5322 100755
--- a/tests/scripts/generate_tls13_compat_tests.py
+++ b/tests/scripts/generate_tls13_compat_tests.py
@@ -67,10 +67,10 @@ NAMED_GROUP_IANA_VALUE = {
     'secp521r1': 0x19,
     'x25519': 0x1d,
     'x448': 0x1e,
+    # Only one finite field group to keep testing time within reasonable bounds.
     'ffdhe2048': 0x100,
 }
 
-
 class TLSProgram:
     """
     Base class for generate server/client command.