diff --git a/lib/ssl/config.mk b/lib/ssl/config.mk
--- a/lib/ssl/config.mk
+++ b/lib/ssl/config.mk
@@ -2,16 +2,20 @@
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 ifdef NISCC_TEST
 DEFINES += -DNISCC_TEST
 endif
 
+ifdef NSS_NO_SSL2
+DEFINES += -DNSS_NO_SSL2
+endif
+
 ifdef NSS_NO_PKCS11_BYPASS
 DEFINES += -DNO_PKCS11_BYPASS
 else
 CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
 
 EXTRA_LIBS += \
 	$(CRYPTOLIB) \
 	$(NULL)
diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
--- a/lib/ssl/sslsock.c
+++ b/lib/ssl/sslsock.c
@@ -649,16 +649,24 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
         if (ss->cipherSpecs) {
             PORT_Free(ss->cipherSpecs);
             ss->cipherSpecs     = NULL;
             ss->sizeCipherSpecs = 0;
         }
         break;
 
       case SSL_ENABLE_SSL2:
+#ifdef NSS_NO_SSL2
+        if (on) {
+            PORT_SetError(SSL_ERROR_SSL2_DISABLED);
+            rv = SECFailure; /* not allowed */
+        }
+        break;
+        ss->opt.enableSSL2      = on;
+#else
         if (IS_DTLS(ss)) {
             if (on) {
                 PORT_SetError(SEC_ERROR_INVALID_ARGS);
                 rv = SECFailure; /* not allowed */
             }
             break;
         }
         ss->opt.enableSSL2       = on;
@@ -666,42 +674,51 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
             ss->opt.v2CompatibleHello = on;
         }
         ss->preferredCipher     = NULL;
         if (ss->cipherSpecs) {
             PORT_Free(ss->cipherSpecs);
             ss->cipherSpecs     = NULL;
             ss->sizeCipherSpecs = 0;
         }
+#endif /* NSS_NO_SSL2 */
         break;
 
       case SSL_NO_CACHE:
         ss->opt.noCache = on;
         break;
 
       case SSL_ENABLE_FDX:
         if (on && ss->opt.noLocks) {
             PORT_SetError(SEC_ERROR_INVALID_ARGS);
             rv = SECFailure;
         }
         ss->opt.fdx = on;
         break;
 
       case SSL_V2_COMPATIBLE_HELLO:
+#ifdef NSS_NO_SSL2
+        if (on) {
+            PORT_SetError(SSL_ERROR_SSL2_DISABLED);
+            rv = SECFailure; /* not allowed */
+            break;
+        }
+#else
         if (IS_DTLS(ss)) {
             if (on) {
                 PORT_SetError(SEC_ERROR_INVALID_ARGS);
                 rv = SECFailure; /* not allowed */
             }
             break;
         }
         ss->opt.v2CompatibleHello = on;
         if (!on) {
             ss->opt.enableSSL2    = on;
         }
+#endif /* NSS_NO_SSL2 */
         break;
 
       case SSL_ROLLBACK_DETECTION:
         ss->opt.detectRollBack = on;
         break;
 
       case SSL_NO_STEP_DOWN:
         ss->opt.noStepDown     = on;
@@ -1155,17 +1172,21 @@ SSL_CipherPolicySet(PRInt32 which, PRInt
 
     if (rv != SECSuccess) {
         return rv;
     }
 
     if (ssl_IsRemovedCipherSuite(which)) {
         rv = SECSuccess;
     } else if (SSL_IS_SSL2_CIPHER(which)) {
+#ifdef NSS_NO_SSL2
+        rv = SSL_ERROR_SSL2_DISABLED;
+#else
         rv = ssl2_SetPolicy(which, policy);
+#endif /* NSS_NO_SSL2 */
     } else {
         rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy);
     }
     return rv;
 }
 
 SECStatus
 SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy)