diff --git a/error/s2n_errno.c b/error/s2n_errno.c
index 2e5d0985e1d..bd0f29c40c2 100644
--- a/error/s2n_errno.c
+++ b/error/s2n_errno.c
@@ -58,6 +58,7 @@ static const char *no_such_error = "Internal s2n error";
     ERR_ENTRY(S2N_ERR_ENCRYPT, "error encrypting data") \
     ERR_ENTRY(S2N_ERR_DECRYPT, "error decrypting data") \
     ERR_ENTRY(S2N_ERR_BAD_MESSAGE, "Bad message encountered") \
+    ERR_ENTRY(S2N_ERR_ILLEGAL_PARAMETER, "Illegal parameter in handshake message") \
     ERR_ENTRY(S2N_ERR_KEY_INIT, "error initializing encryption key") \
     ERR_ENTRY(S2N_ERR_KEY_DESTROY, "error destroying encryption key") \
     ERR_ENTRY(S2N_ERR_DH_SERIALIZING, "error serializing Diffie-Hellman parameters") \
diff --git a/error/s2n_errno.h b/error/s2n_errno.h
index 8e3dbe9b430..17a707699c0 100644
--- a/error/s2n_errno.h
+++ b/error/s2n_errno.h
@@ -71,6 +71,7 @@ typedef enum {
     S2N_ERR_ENCRYPT = S2N_ERR_T_PROTO_START,
     S2N_ERR_DECRYPT,
     S2N_ERR_BAD_MESSAGE,
+    S2N_ERR_ILLEGAL_PARAMETER,
     S2N_ERR_UNEXPECTED_CERT_REQUEST,
     S2N_ERR_MISSING_CERT_REQUEST,
     S2N_ERR_MISSING_CLIENT_CERT,
diff --git a/tls/s2n_alerts.c b/tls/s2n_alerts.c
index 8f4f4d624ee..bdcce26a34c 100644
--- a/tls/s2n_alerts.c
+++ b/tls/s2n_alerts.c
@@ -45,13 +45,12 @@ static S2N_RESULT s2n_translate_protocol_error_to_alert(int error_code, uint8_t
         S2N_ALERT_CASE(S2N_ERR_NO_VALID_SIGNATURE_SCHEME, S2N_TLS_ALERT_HANDSHAKE_FAILURE);
         S2N_ALERT_CASE(S2N_ERR_MISSING_CLIENT_CERT, S2N_TLS_ALERT_CERTIFICATE_REQUIRED);
 
-        /* TODO: The ERR_BAD_MESSAGE -> ALERT_UNEXPECTED_MESSAGE mapping
-         * isn't always correct. Sometimes s2n-tls uses ERR_BAD_MESSAGE
-         * to indicate S2N_TLS_ALERT_ILLEGAL_PARAMETER instead.
-         * We'll want to add a new error to distinguish between the two usages:
-         * our errors should be equally or more specific than alerts, not less.
+        /* S2N_ERR_BAD_MESSAGE maps to UNEXPECTED_MESSAGE for protocol violations
+         * where an unexpected message type was received. S2N_ERR_ILLEGAL_PARAMETER
+         * maps to ILLEGAL_PARAMETER for cases where a message has invalid content.
          */
         S2N_ALERT_CASE(S2N_ERR_BAD_MESSAGE, S2N_TLS_ALERT_UNEXPECTED_MESSAGE);
+        S2N_ALERT_CASE(S2N_ERR_ILLEGAL_PARAMETER, S2N_TLS_ALERT_ILLEGAL_PARAMETER);
         S2N_ALERT_CASE(S2N_ERR_UNEXPECTED_CERT_REQUEST, S2N_TLS_ALERT_UNEXPECTED_MESSAGE);
         S2N_ALERT_CASE(S2N_ERR_MISSING_CERT_REQUEST, S2N_TLS_ALERT_UNEXPECTED_MESSAGE);
 
@@ -112,7 +111,8 @@ static S2N_RESULT s2n_translate_protocol_error_to_alert(int error_code, uint8_t
         S2N_ALERT_CASE(S2N_ERR_CERT_INVALID, S2N_TLS_ALERT_BAD_CERTIFICATE);
         S2N_ALERT_CASE(S2N_ERR_DECODE_CERTIFICATE, S2N_TLS_ALERT_BAD_CERTIFICATE);
 
-        /* TODO: Add mappings for other protocol errors.
+        /* The following errors are internal/cryptographic errors that don't have
+         * corresponding TLS alert codes. They result in a generic internal_error alert.
          */
         S2N_NO_ALERT(S2N_ERR_ENCRYPT);
         S2N_NO_ALERT(S2N_ERR_DECRYPT);