Add POLARSSL_REMOVE_RC4_CIPHERSUITES
diff --git a/ChangeLog b/ChangeLog
index a16a948..a0a8a18 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -18,6 +18,8 @@
    * Blowfish in the cipher layer now supports variable length keys.
    * Add example config.h for PSK with CCM, optimized for low RAM usage.
    * Optimize for RAM usage in example config.h for NSA Suite B profile.
+   * Add POLARSSL_REMOVE_ARC4_CIPHERSUITES to allow removing RC4 ciphersuites
+     from the default list (inactive by default).
 
 Changes
    * Add LINK_WITH_PTHREAD option in CMake for explicit linking that is
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index 0dca560..9aae611 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -315,6 +315,19 @@
 //#define POLARSSL_ENABLE_WEAK_CIPHERSUITES
 
 /**
+ * \def POLARSSL_REMOVE_ARC4_CIPHERSUITES
+ *
+ * Remove RC4 ciphersuites by default in SSL / TLS.
+ * This flag removes the ciphersuites based on RC4 from the default list as
+ * returned by ssl_list_ciphersuites(). However, it is still possible to
+ * enable (some of) them with ssl_set_ciphersuites() by including them
+ * explicitly.
+ *
+ * Uncomment this macro to remove RC4 ciphersuites by default.
+ */
+//#define POLARSSL_REMOVE_ARC4_CIPHERSUITES
+
+/**
  * \def POLARSSL_ECP_XXXX_ENABLED
  *
  * Enables specific curves within the Elliptic Curve module.
diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c
index 7463353..608e26d 100644
--- a/library/ssl_ciphersuites.c
+++ b/library/ssl_ciphersuites.c
@@ -1694,7 +1694,13 @@
 
         for( i = 0; i < max - 1 && p[i] != 0; i++ )
         {
+#if defined(POLARSSL_REMOVE_ARC4_CIPHERSUITES)
+            const ssl_ciphersuite_t *cs_info;
+            if( ( cs_info = ssl_ciphersuite_from_id( p[i] ) ) != NULL &&
+                cs_info->cipher != POLARSSL_CIPHER_ARC4_128 )
+#else
             if( ssl_ciphersuite_from_id( p[i] ) != NULL )
+#endif
                 *(q++) = p[i];
         }
         *q = 0;