diff --git a/lib/ssl/config.mk b/lib/ssl/config.mk

--- a/lib/ssl/config.mk

+++ b/lib/ssl/config.mk

@@ -2,16 +2,20 @@

 # This Source Code Form is subject to the terms of the Mozilla Public

 # License, v. 2.0. If a copy of the MPL was not distributed with this

 # file, You can obtain one at http://mozilla.org/MPL/2.0/.

 ifdef NISCC_TEST

 DEFINES += -DNISCC_TEST

 endif

+ifdef NSS_NO_SSL2

+DEFINES += -DNSS_NO_SSL2

+endif

+

 ifdef NSS_NO_PKCS11_BYPASS

 DEFINES += -DNO_PKCS11_BYPASS

 else

 CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)

 EXTRA_LIBS += \

 	$(CRYPTOLIB) \

 	$(NULL)

diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c

--- a/lib/ssl/sslsock.c

+++ b/lib/ssl/sslsock.c

@@ -649,16 +649,24 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh

         if (ss->cipherSpecs) {

             PORT_Free(ss->cipherSpecs);

             ss->cipherSpecs     = NULL;

             ss->sizeCipherSpecs = 0;

         }

         break;

       case SSL_ENABLE_SSL2:

+#ifdef NSS_NO_SSL2

+        if (on) {

+            PORT_SetError(SSL_ERROR_SSL2_DISABLED);

+            rv = SECFailure; /* not allowed */

+        }

+        break;

+        ss->opt.enableSSL2      = on;

+#else

         if (IS_DTLS(ss)) {

             if (on) {

                 PORT_SetError(SEC_ERROR_INVALID_ARGS);

                 rv = SECFailure; /* not allowed */

             }

             break;

         }

         ss->opt.enableSSL2       = on;

@@ -666,42 +674,51 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh

             ss->opt.v2CompatibleHello = on;

         }

         ss->preferredCipher     = NULL;

         if (ss->cipherSpecs) {

             PORT_Free(ss->cipherSpecs);

             ss->cipherSpecs     = NULL;

             ss->sizeCipherSpecs = 0;

         }

+#endif /* NSS_NO_SSL2 */

         break;

       case SSL_NO_CACHE:

         ss->opt.noCache = on;

         break;

       case SSL_ENABLE_FDX:

         if (on && ss->opt.noLocks) {

             PORT_SetError(SEC_ERROR_INVALID_ARGS);

             rv = SECFailure;

         }

         ss->opt.fdx = on;

         break;

       case SSL_V2_COMPATIBLE_HELLO:

+#ifdef NSS_NO_SSL2

+        if (on) {

+            PORT_SetError(SSL_ERROR_SSL2_DISABLED);

+            rv = SECFailure; /* not allowed */

+            break;

+        }

+#else

         if (IS_DTLS(ss)) {

             if (on) {

                 PORT_SetError(SEC_ERROR_INVALID_ARGS);

                 rv = SECFailure; /* not allowed */

             }

             break;

         }

         ss->opt.v2CompatibleHello = on;

         if (!on) {

             ss->opt.enableSSL2    = on;

         }

+#endif /* NSS_NO_SSL2 */

         break;

       case SSL_ROLLBACK_DETECTION:

         ss->opt.detectRollBack = on;

         break;

       case SSL_NO_STEP_DOWN:

         ss->opt.noStepDown     = on;

@@ -1155,17 +1172,21 @@ SSL_CipherPolicySet(PRInt32 which, PRInt

     if (rv != SECSuccess) {

         return rv;

     }

     if (ssl_IsRemovedCipherSuite(which)) {

         rv = SECSuccess;

     } else if (SSL_IS_SSL2_CIPHER(which)) {

+#ifdef NSS_NO_SSL2

+        rv = SSL_ERROR_SSL2_DISABLED;

+#else

         rv = ssl2_SetPolicy(which, policy);

+#endif /* NSS_NO_SSL2 */

     } else {

         rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy);

     }

     return rv;

 }

 SECStatus

 SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy)