diff --git a/lib/modules/SSL.pmod/Constants.pmod b/lib/modules/SSL.pmod/Constants.pmod
index 55bee8368082d47a32d54be677e83190facaacb0..56c3af24eed0c2d1f768dea75454dc7303e5a1a2 100644
--- a/lib/modules/SSL.pmod/Constants.pmod
+++ b/lib/modules/SSL.pmod/Constants.pmod
@@ -67,7 +67,7 @@
  *  [/] 56-bit Export Cipher	draft-ietf-tls-56-bit-ciphersuites-01.txt
  *  [/] Next Protocol Negotiation  	draft-agl-tls-nextprotoneg
  *  [ ] Chacha20Poly1305	draft-agl-tls-chacha20poly1305-02.txt
- *  [ ] TLS Padding		draft-agl-tls-padding
+ *  [/] TLS Padding		draft-agl-tls-padding
  *  [X] TLS Fallback SCSV	draft-ietf-tls-downgrade-scsv-00.txt
  *  [ ] SSL 3.4/TLS 1.3		draft-ietf-tls-tls13-02.txt
  *  [ ] Prohibit RC4		draft-ietf-tls-prohibiting-rc4
diff --git a/lib/modules/SSL.pmod/ServerConnection.pike b/lib/modules/SSL.pmod/ServerConnection.pike
index 3b9dc64ff6e9f10db63818ef9b0809ff30a1b6e7..71862cfe44755d66c5260ed353b6f7d0f3b27802 100644
--- a/lib/modules/SSL.pmod/ServerConnection.pike
+++ b/lib/modules/SSL.pmod/ServerConnection.pike
@@ -561,6 +561,13 @@ int(-1..1) handle_handshake(int type, string(8bit) data, string(8bit) raw)
 	      }
 	      break;
 
+            case EXTENSION_padding:
+              if( !equal(String.range((string)extension_data), ({0,0})) )
+                send_packet(alert(ALERT_fatal, ALERT_illegal_parameter,
+                                  "Possible covert side channel in padding.\n"
+                                  ));
+              break;
+
 	    default:
               SSL3_DEBUG_MSG("Unhandled extension %O (%d bytes)\n",
                              (string)extension_data,