diff --git a/configs/config-ccm-psk-tls1_2.h b/configs/config-ccm-psk-tls1_2.h
index c9b58dd53..bd2c1a3b8 100644
--- a/configs/config-ccm-psk-tls1_2.h
+++ b/configs/config-ccm-psk-tls1_2.h
@@ -41,6 +41,7 @@
 /* mbed TLS feature support */
 #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
 #define MBEDTLS_SSL_PROTO_TLS1_2
+#define MBEDTLS_SSL_PROTO_TLS
 
 /* mbed TLS modules */
 #define MBEDTLS_AES_C
diff --git a/configs/config-mini-tls1_1.h b/configs/config-mini-tls1_1.h
index 013bc0300..349ea8e57 100644
--- a/configs/config-mini-tls1_1.h
+++ b/configs/config-mini-tls1_1.h
@@ -40,6 +40,7 @@
 #define MBEDTLS_PKCS1_V15
 #define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
 #define MBEDTLS_SSL_PROTO_TLS1_1
+#define MBEDTLS_SSL_PROTO_TLS
 
 /* mbed TLS modules */
 #define MBEDTLS_AES_C
diff --git a/configs/config-suite-b.h b/configs/config-suite-b.h
index 18e2c4036..e6fad1c0e 100644
--- a/configs/config-suite-b.h
+++ b/configs/config-suite-b.h
@@ -47,6 +47,7 @@
 #define MBEDTLS_ECP_DP_SECP384R1_ENABLED
 #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 #define MBEDTLS_SSL_PROTO_TLS1_2
+#define MBEDTLS_SSL_PROTO_TLS
 
 /* mbed TLS modules */
 #define MBEDTLS_AES_C
diff --git a/configs/config-thread.h b/configs/config-thread.h
index 25db16bf0..3166aa970 100644
--- a/configs/config-thread.h
+++ b/configs/config-thread.h
@@ -29,6 +29,7 @@
  * Distinguishing features:
  * - no RSA or classic DH, fully based on ECC
  * - no X.509
+ * - no TLS, only DTLS
  * - support for experimental EC J-PAKE key exchange
  *
  * See README.txt for usage instructions.
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index 48555f68a..fccf10439 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -562,7 +562,12 @@
 #if defined(MBEDTLS_SSL_TLS_C) && (!defined(MBEDTLS_SSL_PROTO_SSL3) && \
     !defined(MBEDTLS_SSL_PROTO_TLS1) && !defined(MBEDTLS_SSL_PROTO_TLS1_1) && \
     !defined(MBEDTLS_SSL_PROTO_TLS1_2))
-#error "MBEDTLS_SSL_TLS_C defined, but no protocols are active"
+#error "MBEDTLS_SSL_TLS_C defined, but no protocol version is active"
+#endif
+
+#if defined(MBEDTLS_SSL_TLS_C) && \
+    (!defined(MBEDTLS_SSL_PROTO_TLS) && !defined(MBEDTLS_SSL_PROTO_DTLS))
+#error "MBEDTLS_SSL_TLS_C defined, but neither TLS or DTLS is active"
 #endif
 
 #if defined(MBEDTLS_SSL_TLS_C) && (defined(MBEDTLS_SSL_PROTO_SSL3) && \
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index f5b2de90c..69f68dda4 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -1453,7 +1453,7 @@
 /**
  * \def MBEDTLS_SSL_PROTO_SSL3
  *
- * Enable support for SSL 3.0.
+ * Enable support for SSL 3.0 (if TLS is enabled).
  *
  * Requires: MBEDTLS_MD5_C
  *           MBEDTLS_SHA1_C
@@ -1465,7 +1465,7 @@
 /**
  * \def MBEDTLS_SSL_PROTO_TLS1
  *
- * Enable support for TLS 1.0.
+ * Enable support for TLS 1.0 (if TLS is enabled).
  *
  * Requires: MBEDTLS_MD5_C
  *           MBEDTLS_SHA1_C
@@ -1477,7 +1477,8 @@
 /**
  * \def MBEDTLS_SSL_PROTO_TLS1_1
  *
- * Enable support for TLS 1.1 (and DTLS 1.0 if DTLS is enabled).
+ * Enable support for TLS 1.1 (if TLS is enabled) and DTLS 1.0 (if DTLS is
+ * enabled).
  *
  * Requires: MBEDTLS_MD5_C
  *           MBEDTLS_SHA1_C
@@ -1489,7 +1490,8 @@
 /**
  * \def MBEDTLS_SSL_PROTO_TLS1_2
  *
- * Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled).
+ * Enable support for TLS 1.2 (if TLS is enabled) and DTLS 1.2 (if DTLS is
+ * enabled).
  *
  * Requires: MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C
  *           (Depends on ciphersuites)
@@ -1513,6 +1515,23 @@
  */
 #define MBEDTLS_SSL_PROTO_DTLS
 
+/**
+ * \def MBEDTLS_SSL_PROTO_TLS
+ *
+ * Enable support for TLS (all available versions).
+ *
+ * Enable this and MBEDTLS_SSL_PROTO_TLS1   to enable TLS 1.0,
+ * Enable this and MBEDTLS_SSL_PROTO_TLS1_1 to enable TLS 1.1,
+ * and/or this and MBEDTLS_SSL_PROTO_TLS1_2 to enable TLS 1.2.
+ *
+ * Requires: MBEDTLS_SSL_PROTO_TLS1_1
+ *        or MBEDTLS_SSL_PROTO_TLS1_1
+ *        or MBEDTLS_SSL_PROTO_TLS1_2
+ *
+ * Comment this macro to disable support for TLS
+ */
+#define MBEDTLS_SSL_PROTO_TLS
+
 /**
  * \def MBEDTLS_SSL_ALPN
  *
diff --git a/library/version_features.c b/library/version_features.c
index 7494b4287..fc0b1f8f0 100644
--- a/library/version_features.c
+++ b/library/version_features.c
@@ -486,6 +486,9 @@ static const char *features[] = {
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
     "MBEDTLS_SSL_PROTO_DTLS",
 #endif /* MBEDTLS_SSL_PROTO_DTLS */
+#if defined(MBEDTLS_SSL_PROTO_TLS)
+    "MBEDTLS_SSL_PROTO_TLS",
+#endif /* MBEDTLS_SSL_PROTO_TLS */
 #if defined(MBEDTLS_SSL_ALPN)
     "MBEDTLS_SSL_ALPN",
 #endif /* MBEDTLS_SSL_ALPN */
diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c
index e1d1332f2..be35a76ce 100644
--- a/programs/ssl/query_config.c
+++ b/programs/ssl/query_config.c
@@ -1338,6 +1338,14 @@ int query_config( const char *config )
     }
 #endif /* MBEDTLS_SSL_PROTO_DTLS */
 
+#if defined(MBEDTLS_SSL_PROTO_TLS)
+    if( strcmp( "MBEDTLS_SSL_PROTO_TLS", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_PROTO_TLS );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_PROTO_TLS */
+
 #if defined(MBEDTLS_SSL_ALPN)
     if( strcmp( "MBEDTLS_SSL_ALPN", config ) == 0 )
     {