diff --git a/hack/tools/update-tls-profiles.sh b/hack/tools/update-tls-profiles.sh
index 10a3e270c..9a3443f04 100755
--- a/hack/tools/update-tls-profiles.sh
+++ b/hack/tools/update-tls-profiles.sh
@@ -4,8 +4,13 @@ set -e
 
 OUTPUT=internal/shared/util/tlsprofiles/mozilla_data.json
 INPUT=https://ssl-config.mozilla.org/guidelines/latest.json
+tmp="$(mktemp "${OUTPUT}.tmp.XXXXXX")"
+trap 'rm -f "${tmp}"' EXIT
 
-if ! curl -L -s -f "${INPUT}" -o "${OUTPUT}"; then
+if ! curl -L -s -f "${INPUT}" -o "${tmp}"; then
     echo "ERROR: Failed to download ${INPUT} (HTTP error or connection failure)" >&2
     exit 1
 fi
+
+mv "${tmp}" "${OUTPUT}"
+trap - EXIT
diff --git a/internal/shared/util/tlsprofiles/mozilla_data.go b/internal/shared/util/tlsprofiles/mozilla_data.go
index 8b513172b..184c9787a 100644
--- a/internal/shared/util/tlsprofiles/mozilla_data.go
+++ b/internal/shared/util/tlsprofiles/mozilla_data.go
@@ -96,6 +96,13 @@ func parseProfile(name string, cfg mozillaConfiguration) (tlsProfile, []string,
 		panic(fmt.Sprintf("tlsprofiles: profile %q has unrecognized tls_versions[0] %q: %v", name, cfg.TLSVersions[0], err))
 	}
 
+	if len(curveNums) == 0 {
+		panic(fmt.Sprintf("tlsprofiles: profile %q resolved no supported tls_curves from embedded mozilla_data.json", name))
+	}
+	if version < tlsVersion(tls.VersionTLS13) && len(cipherNums) == 0 {
+		panic(fmt.Sprintf("tlsprofiles: profile %q resolved no supported cipher suites from embedded mozilla_data.json", name))
+	}
+
 	return tlsProfile{
 		ciphers:       cipherSlice{cipherNums: cipherNums},
 		curves:        curveSlice{curveNums: curveNums},