diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index 67cb77856..88f47011b 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -650,6 +650,13 @@
 #error "MBEDTLS_SSL_EXTENDED_MASTER_SECRET defined, but not all prerequsites"
 #endif
 
+#if ( defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET) &&            \
+      !defined(MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET) ) || \
+    ( !defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET) &&           \
+      defined(MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET) )
+#define "MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET and MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET must be defined together."
+#endif
+
 #if defined(MBEDTLS_SSL_TICKET_C) && !defined(MBEDTLS_CIPHER_C)
 #error "MBEDTLS_SSL_TICKET_C defined, but not all prerequisites"
 #endif
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 8dcb81c5f..2116521dc 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -3444,7 +3444,7 @@
  * This section allows to fix parts of the SSL configuration
  * at compile-time. If a field is fixed at compile-time, the
  * corresponding SSL configuration API `mbedtls_ssl_conf_xxx()`
- * remains present, but takes no effect anymore.
+ * is removed.
  *
  * This can be used on constrained systems to reduce code-size.
  * \{
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 0864fc247..fff20ff1b 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -8610,26 +8610,19 @@ void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm )
 #endif
 
 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+#if !defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET)
 void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems )
 {
-#if !defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET)
     conf->extended_ms = ems;
-#else
-    ((void) conf);
-    ((void) ems);
-#endif /* !MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET */
 }
-
+#endif /* !MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET */
+#if !defined(MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET)
 void mbedtls_ssl_conf_extended_master_secret_enforce( mbedtls_ssl_config *conf,
                                                         char ems_enf )
 {
-#if !defined(MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET)
     conf->enforce_extended_master_secret = ems_enf;
-#else
-    ((void) conf);
-    ((void) ems_enf);
-#endif /* !MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET */
 }
+#endif /* !MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET */
 #endif /* !MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
 
 #if defined(MBEDTLS_ARC4_C)
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index d859101c1..982857659 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -245,7 +245,9 @@ int main( void )
 #define USAGE_FALLBACK ""
 #endif
 
-#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) &&       \
+    !defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET) && \
+    !defined(MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET)
 #define USAGE_EMS \
     "    extended_ms=0/1     default: (library default: on)\n" \
     "    enforce_extended_master_secret=0/1 default: (library default: off)\n"
@@ -1706,7 +1708,9 @@ int main( int argc, char *argv[] )
         mbedtls_ssl_conf_truncated_hmac( &conf, opt.trunc_hmac );
 #endif
 
-#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) &&       \
+    !defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET) && \
+    !defined(MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET)
     if( opt.extended_ms != DFL_EXTENDED_MS )
         mbedtls_ssl_conf_extended_master_secret( &conf, opt.extended_ms );
     if( opt.enforce_extended_master_secret != DFL_EXTENDED_MS_ENFORCE )
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 8a12de23d..5d751b6a7 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -344,7 +344,9 @@ int main( void )
 #define USAGE_DTLS ""
 #endif
 
-#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) &&       \
+    !defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET) && \
+    !defined(MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET)
 #define USAGE_EMS \
     "    extended_ms=0/1     default: (library default: on)\n" \
     "    enforce_extended_master_secret=0/1 default: (library default: off)\n"
@@ -2491,7 +2493,9 @@ int main( int argc, char *argv[] )
         mbedtls_ssl_conf_truncated_hmac( &conf, opt.trunc_hmac );
 #endif
 
-#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) &&       \
+    !defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET) && \
+    !defined(MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET)
     if( opt.extended_ms != DFL_EXTENDED_MS )
         mbedtls_ssl_conf_extended_master_secret( &conf, opt.extended_ms );
     if( opt.enforce_extended_master_secret != DFL_EXTENDED_MS_ENFORCE )