diff --git a/components/esp-tls/Kconfig b/components/esp-tls/Kconfig
index 636860986e..1c6911c69d 100644
--- a/components/esp-tls/Kconfig
+++ b/components/esp-tls/Kconfig
@@ -66,8 +66,8 @@ menu "ESP-TLS"
         bool "Enable PSK verification"
         select MBEDTLS_PSK_MODES if ESP_TLS_USING_MBEDTLS
         select MBEDTLS_KEY_EXCHANGE_PSK if ESP_TLS_USING_MBEDTLS
-        select MBEDTLS_KEY_EXCHANGE_DHE_PSK if ESP_TLS_USING_MBEDTLS
-        select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK if ESP_TLS_USING_MBEDTLS
+        select MBEDTLS_KEY_EXCHANGE_DHE_PSK if ESP_TLS_USING_MBEDTLS && MBEDTLS_DHM_C
+        select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK if ESP_TLS_USING_MBEDTLS && MBEDTLS_ECDH_C
         select MBEDTLS_KEY_EXCHANGE_RSA_PSK if ESP_TLS_USING_MBEDTLS
         default n
         help
diff --git a/components/mbedtls/Kconfig b/components/mbedtls/Kconfig
index bc7430826b..978727db97 100644
--- a/components/mbedtls/Kconfig
+++ b/components/mbedtls/Kconfig
@@ -426,7 +426,7 @@ menu "mbedTLS"
 
         config MBEDTLS_KEY_EXCHANGE_DHE_PSK
             bool "Enable DHE-PSK based ciphersuite modes"
-            depends on MBEDTLS_PSK_MODES
+            depends on MBEDTLS_PSK_MODES && MBEDTLS_DHM_C
             default y
             help
                 Enable to support Diffie-Hellman PSK (pre-shared-key) TLS authentication modes.
@@ -454,6 +454,7 @@ menu "mbedTLS"
         config MBEDTLS_KEY_EXCHANGE_DHE_RSA
             bool "Enable DHE-RSA based ciphersuite modes"
             default y
+            depends on MBEDTLS_DHM_C
             help
                 Enable to support ciphersuites with prefix TLS-DHE-RSA-WITH-
 
@@ -716,6 +717,16 @@ menu "mbedTLS"
         bool  "Elliptic Curve Ciphers"
         default y
 
+    config MBEDTLS_DHM_C
+        bool "Diffie-Hellman-Merkle key exchange (DHM)"
+        default n
+        help
+            Enable DHM. Needed to use DHE-xxx TLS ciphersuites.
+
+            Note that the security of Diffie-Hellman key exchanges depends on
+            a suitable prime being used for the exchange. Please see detailed
+            warning text about this in file `mbedtls/dhm.h` file.
+
     config MBEDTLS_ECDH_C
         bool "Elliptic Curve Diffie-Hellman (ECDH)"
         depends on MBEDTLS_ECP_C
diff --git a/components/mbedtls/port/include/mbedtls/esp_config.h b/components/mbedtls/port/include/mbedtls/esp_config.h
index f36ebf9bc7..24faec132a 100644
--- a/components/mbedtls/port/include/mbedtls/esp_config.h
+++ b/components/mbedtls/port/include/mbedtls/esp_config.h
@@ -1601,7 +1601,11 @@
  * This module is used by the following key exchanges:
  *      DHE-RSA, DHE-PSK
  */
+#ifdef CONFIG_MBEDTLS_DHM_C
 #define MBEDTLS_DHM_C
+#else
+#undef MBEDTLS_DHM_C
+#endif
 
 /**
  * \def MBEDTLS_ECDH_C