diff --git a/configs/baremetal.h b/configs/baremetal.h
index f82e5f2b9..330b513fc 100644
--- a/configs/baremetal.h
+++ b/configs/baremetal.h
@@ -79,6 +79,12 @@
 #define MBEDTLS_SSL_DTLS_BADMAC_LIMIT
 #define MBEDTLS_SSL_DTLS_CONNECTION_ID
 
+/* Compile-time fixed parts of the SSL configuration */
+#define MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET \
+    MBEDTLS_SSL_EXTENDED_MS_ENABLED
+#define MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET \
+    MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED
+
 /* X.509 CRT parsing */
 #define MBEDTLS_X509_USE_C
 #define MBEDTLS_X509_CRT_PARSE_C
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index e5d593312..8dcb81c5f 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -3438,6 +3438,25 @@
 
 /* \} name SECTION: Customisation configuration options */
 
+/**
+ * \name SECTION: Compile-time SSL configuration
+ *
+ * This section allows to fix parts of the SSL configuration
+ * at compile-time. If a field is fixed at compile-time, the
+ * corresponding SSL configuration API `mbedtls_ssl_conf_xxx()`
+ * remains present, but takes no effect anymore.
+ *
+ * This can be used on constrained systems to reduce code-size.
+ * \{
+ */
+
+/* ExtendedMasterSecret extension
+ * The following two options must be set/unset simultaneously. */
+//#define MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET MBEDTLS_SSL_EXTENDED_MS_ENABLED
+//#define MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET MBEDTLS_SSL_EXTENDED_MS_ENFORCE_DISABLED
+
+/* \} SECTION: Compile-time SSL configuration */
+
 /* Target and application specific configurations
  *
  * Allow user to override any previous default.
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index eeb03e145..562fdac92 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1060,10 +1060,14 @@ struct mbedtls_ssl_config
     unsigned int encrypt_then_mac : 1 ; /*!< negotiate encrypt-then-mac?    */
 #endif
 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+#if !defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET)
     unsigned int extended_ms : 1;   /*!< negotiate extended master secret?  */
+#endif /* !MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+#if !defined(MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET)
     unsigned int enforce_extended_master_secret : 1; /*!< enforce the usage
                                                       *   of extended master
                                                       *   secret            */
+#endif /* !MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET */
 #endif
 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
     unsigned int anti_replay : 1;   /*!< detect and prevent replay?         */
@@ -1094,6 +1098,34 @@ struct mbedtls_ssl_config
 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
 };
 
+/*
+ * Getter functions for fields in mbedtls_ssl_config which may
+ * be fixed at compile time via one of MBEDTLS_SSL_SSL_CONF_XXX.
+ */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+static inline unsigned int mbedtls_ssl_conf_get_ems(
+    mbedtls_ssl_config const *conf )
+{
+#if !defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET)
+    return( conf->extended_ms );
+#else
+    ((void) conf);
+    return( MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET );
+#endif /* MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET */
+}
+
+static inline unsigned int
+mbedtls_ssl_conf_get_ems_enforced( mbedtls_ssl_config const *conf )
+{
+#if !defined(MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET)
+    return( conf->enforce_extended_master_secret );
+#else
+    ((void) conf);
+    return( MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET );
+#endif /* MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET */
+}
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
 
 struct mbedtls_ssl_context
 {
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 174e8b150..238eeb14d 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -590,7 +590,8 @@ static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
 
     *olen = 0;
 
-    if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
+    if( mbedtls_ssl_conf_get_ems( ssl->conf ) ==
+          MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
         ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
     {
         return;
@@ -1328,7 +1329,8 @@ static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
                                          const unsigned char *buf,
                                          size_t len )
 {
-    if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
+    if( mbedtls_ssl_conf_get_ems( ssl->conf ) ==
+          MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
         ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
         len != 0 )
     {
@@ -2089,10 +2091,11 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
      * Check if extended master secret is being enforced
      */
 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
-    if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
-        ssl->conf->enforce_extended_master_secret ==
-        MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED &&
-        ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED )
+    if( mbedtls_ssl_conf_get_ems( ssl->conf ) ==
+          MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
+        mbedtls_ssl_conf_get_ems_enforced( ssl->conf ) ==
+          MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED &&
+        ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED)
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "Peer not offering extended master "
                                     "secret, while it is enforced") );
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index a8821f319..657fbaece 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -567,7 +567,8 @@ static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
 
     ((void) buf);
 
-    if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
+    if( mbedtls_ssl_conf_get_ems( ssl->conf ) ==
+          MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
         ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
     {
         ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
@@ -2039,10 +2040,11 @@ read_record_header:
      * Check if extended master secret is being enforced
      */
 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
-    if( ssl->conf->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
-        ssl->conf->enforce_extended_master_secret ==
-        MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED &&
-        ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED )
+    if( mbedtls_ssl_conf_get_ems( ssl->conf ) ==
+          MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
+        mbedtls_ssl_conf_get_ems_enforced( ssl->conf ) ==
+          MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED &&
+        ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED)
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "Peer not offering extended master "
                                     "secret, while it is enforced") );
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 3257732e8..5c8a08eb7 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -8611,15 +8611,25 @@ void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm )
 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
 void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems )
 {
+#if !defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET)
     conf->extended_ms = ems;
+#else
+    ((void) conf);
+    ((void) ems);
+#endif /* !MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET */
 }
 
 void mbedtls_ssl_conf_extended_master_secret_enforce( mbedtls_ssl_config *conf,
                                                         char ems_enf )
 {
+#if !defined(MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET)
     conf->enforce_extended_master_secret = ems_enf;
+#else
+    ((void) conf);
+    ((void) ems_enf);
+#endif /* !MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET */
 }
-#endif
+#endif /* !MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
 
 #if defined(MBEDTLS_ARC4_C)
 void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 )
@@ -10716,9 +10726,13 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
 #endif
 
 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+#if !defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET)
     conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
+#endif /* !MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET */
+#if !defined(MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET)
     conf->enforce_extended_master_secret =
         MBEDTLS_SSL_EXTENDED_MS_ENFORCE_DISABLED;
+#endif /* !MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET */
 #endif
 
 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c
index ab3c772ab..dd5370959 100644
--- a/programs/ssl/query_config.c
+++ b/programs/ssl/query_config.c
@@ -2098,6 +2098,22 @@ int query_config( const char *config )
     }
 #endif /* MBEDTLS_XTEA_C */
 
+#if defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET)
+    if( strcmp( "MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET */
+
+#if defined(MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET)
+    if( strcmp( "MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET */
+
 #if defined(MBEDTLS_MPI_WINDOW_SIZE)
     if( strcmp( "MBEDTLS_MPI_WINDOW_SIZE", config ) == 0 )
     {