diff --git a/src/eap-tls.c b/src/eap-tls.c
index 8f63726a..ab137fcd 100644
--- a/src/eap-tls.c
+++ b/src/eap-tls.c
@@ -335,7 +335,7 @@ static void eap_tls_handle_request(struct eap_state *eap,
 	 * response instead of passing the TLS alert.
 	 */
 
-	if (tls->tx_pkt_len <= eap_get_mtu(eap)) {
+	if (tls->tx_pkt_len + 6 <= eap_get_mtu(eap)) {
 		/*
 		 * Response fits in a single response packet, prepend the
 		 * 6-byte header (no length) before the data.