diff --git a/configure.ac b/configure.ac
index 640ab6fa..aa632005 100644
--- a/configure.ac
+++ b/configure.ac
@@ -898,6 +898,12 @@ elif test "${with_crypto_library}" = "mbedtls"; then
 		[have_export_keying_material="no"]
 	)
 
+	AC_CHECK_FUNC(
+		[mbedtls_ctr_drbg_update_ret],
+		AC_DEFINE([HAVE_CTR_DRBG_UPDATE_RET], [1],
+			  [Use mbedtls_ctr_drbg_update_ret from mbed TLS]),
+	)
+
 	CFLAGS="${saved_CFLAGS}"
 	LIBS="${saved_LIBS}"
 	AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library])
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index 1853335e..cea88f41 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -66,8 +66,11 @@
  * Compatibility: mbedtls_ctr_drbg_update was deprecated in mbedtls 2.16 and
  * replaced with mbedtls_ctr_drbg_update_ret, which returns an error code.
  * For older versions, we call mbedtls_ctr_drbg_update and return 0 (success).
+ *
+ * Note: this change was backported to other mbedTLS branches, therefore we
+ * rely on function detection at configure time.
  */
-#if MBEDTLS_VERSION_NUMBER < 0x02100000
+#ifndef HAVE_CTR_DRBG_UPDATE_RET
 static int mbedtls_ctr_drbg_update_ret(mbedtls_ctr_drbg_context *ctx,
                                        const unsigned char *additional,
                                        size_t add_len)