7 files changed, 43 insertions, 5 deletions
diff --git a/configure.ac b/configure.ac
index 6ab9cdcbf7..ff47b6289a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -942,7 +942,8 @@ AC_MSG_NOTICE([Optional features:
 (note that included applications might not compile properly
 if features are disabled)
 
-  SSL3 support:         $ac_enable_ssl3
+  SSL3.0 support:       $ac_enable_ssl3
+  SSL2.0 client hello:  $ac_enable_ssl2
   DTLS-SRTP support:    $ac_enable_srtp
   ALPN support:         $ac_enable_alpn
   OCSP support:         $ac_enable_ocsp
diff --git a/lib/buffers.c b/lib/buffers.c
index e43a0c4b5d..f0faa709ae 100644
--- a/lib/buffers.c
+++ b/lib/buffers.c
@@ -887,6 +887,7 @@ parse_handshake_header(gnutls_session_t session, mbuffer_st * bufel,
 	dataptr = _mbuffer_get_udata_ptr(bufel);
 
 	/* if reading a client hello of SSLv2 */
+#ifdef ENABLE_SSL2
 	if (unlikely
 	    (!IS_DTLS(session)
 	     && bufel->htype == GNUTLS_HANDSHAKE_CLIENT_HELLO_V2)) {
@@ -903,7 +904,9 @@ parse_handshake_header(gnutls_session_t session, mbuffer_st * bufel,
 		hsk->sequence = 0;
 		hsk->start_offset = 0;
 		hsk->end_offset = hsk->length;
-	} else {		/* TLS or DTLS handshake headers */
+	} else
+#endif
+	{		/* TLS or DTLS handshake headers */
 
 
 		hsk->htype = dataptr[0];
@@ -1075,7 +1078,10 @@ inline static int cmp_hsk_types(gnutls_handshake_description_t expected,
 				gnutls_handshake_description_t recvd)
 {
 	if ((expected != GNUTLS_HANDSHAKE_CLIENT_HELLO
-	     || recvd != GNUTLS_HANDSHAKE_CLIENT_HELLO_V2)
+#ifdef ENABLE_SSL2
+	     || recvd != GNUTLS_HANDSHAKE_CLIENT_HELLO_V2
+#endif
+	     )
 	    && (expected != recvd))
 		return 0;
 
diff --git a/lib/debug.c b/lib/debug.c
index 6ab12c6943..252f2470a6 100644
--- a/lib/debug.c
+++ b/lib/debug.c
@@ -90,9 +90,11 @@ const char
 	case GNUTLS_HANDSHAKE_CLIENT_HELLO:
 		return "CLIENT HELLO";
 		break;
+#ifdef ENABLE_SSL2
 	case GNUTLS_HANDSHAKE_CLIENT_HELLO_V2:
 		return "SSL2 CLIENT HELLO";
 		break;
+#endif
 	case GNUTLS_HANDSHAKE_SERVER_HELLO:
 		return "SERVER HELLO";
 		break;
diff --git a/lib/handshake.c b/lib/handshake.c
index 0f65a67c2c..965698e3ca 100644
--- a/lib/handshake.c
+++ b/lib/handshake.c
@@ -1469,12 +1469,14 @@ _gnutls_recv_handshake(gnutls_session_t session,
 	case GNUTLS_HANDSHAKE_CLIENT_HELLO_V2:
 	case GNUTLS_HANDSHAKE_CLIENT_HELLO:
 	case GNUTLS_HANDSHAKE_SERVER_HELLO:
+#ifdef ENABLE_SSL2
 		if (hsk.htype == GNUTLS_HANDSHAKE_CLIENT_HELLO_V2)
 			ret =
 			    _gnutls_read_client_hello_v2(session,
 							 hsk.data.data,
 							 hsk.data.length);
 		else
+#endif
 			ret =
 			    recv_hello(session, hsk.data.data,
 					hsk.data.length);
diff --git a/lib/record.c b/lib/record.c
index aae1a1443a..ad60967662 100644
--- a/lib/record.c
+++ b/lib/record.c
@@ -61,7 +61,9 @@ struct tls_record_st {
 	uint16_t packet_size;	/* header_size + length */
 	content_type_t type;
 	uint16_t epoch;		/* valid in DTLS only */
+#ifdef ENABLE_SSL2
 	unsigned v2:1;		/* whether an SSLv2 client hello */
+#endif
 	/* the data */
 };
 
@@ -948,6 +950,7 @@ record_read_headers(gnutls_session_t session,
 	 * version 2 message 
 	 */
 
+#ifdef ENABLE_SSL2
 	if (htype == GNUTLS_HANDSHAKE_CLIENT_HELLO
 	    && type == GNUTLS_HANDSHAKE && headers[0] > 127
 	    && !(IS_DTLS(session))) {
@@ -977,9 +980,13 @@ record_read_headers(gnutls_session_t session,
 		     session, _gnutls_packet2str(record->type),
 		     record->length);
 
-	} else {
+	} else
+#endif
+	{
 		/* dtls version 1.0 and TLS version 1.x */
+#ifdef ENABLE_SSL2
 		record->v2 = 0;
+#endif
 
 		record->type = headers[0];
 		record->version[0] = headers[1];
@@ -1290,9 +1297,12 @@ _gnutls_recv_in_buffers(gnutls_session_t session, content_type_t type,
 		goto begin;
 	}
 
+#ifdef ENABLE_SSL2
 	if (record.v2) {
 		decrypted->htype = GNUTLS_HANDSHAKE_CLIENT_HELLO_V2;
-	} else {
+	} else
+#endif
+	{
 		uint8_t *p = _mbuffer_get_udata_ptr(decrypted);
 		decrypted->htype = p[0];
 	}
diff --git a/lib/sslv2_compat.c b/lib/sslv2_compat.c
index f742a098d8..f85fb8c163 100644
--- a/lib/sslv2_compat.c
+++ b/lib/sslv2_compat.c
@@ -41,6 +41,7 @@
 #include "sslv2_compat.h"
 #include "constate.h"
 
+#ifdef ENABLE_SSL2
 /* This selects the best supported ciphersuite from the ones provided */
 static int
 _gnutls_handshake_select_v2_suite(gnutls_session_t session,
@@ -254,3 +255,4 @@ _gnutls_read_client_hello_v2(gnutls_session_t session, uint8_t * data,
 
 	return sret;
 }
+#endif
diff --git a/m4/hooks.m4 b/m4/hooks.m4
index 9d057951d9..08499cdcd9 100644
--- a/m4/hooks.m4
+++ b/m4/hooks.m4
@@ -155,6 +155,21 @@ LIBTASN1_MINIMUM=4.3
   fi
   AM_CONDITIONAL(ENABLE_SSL3, test "$ac_enable_ssl3" != "no")
 
+  ac_enable_ssl2=yes
+  AC_MSG_CHECKING([whether to disable the SSL 2.0 client hello])
+  AC_ARG_ENABLE(ssl2-support,
+    AS_HELP_STRING([--disable-ssl2-support],
+                   [disable support for the SSL 2.0 client hello]),
+    ac_enable_ssl2=$enableval)
+  if test x$ac_enable_ssl2 != xno; then
+   AC_MSG_RESULT(no)
+   AC_DEFINE([ENABLE_SSL2], 1, [enable SSL2.0 support for client hello])
+  else
+   ac_full=0
+   AC_MSG_RESULT(yes)
+  fi
+  AM_CONDITIONAL(ENABLE_SSL3, test "$ac_enable_ssl2" != "no")
+
   ac_enable_srtp=yes
   AC_MSG_CHECKING([whether to disable DTLS-SRTP extension])
   AC_ARG_ENABLE(dtls-srtp-support,