diff --git a/ChangeLog.d/issue4361.txt b/ChangeLog.d/issue4361.txt
new file mode 100644
index 0000000000..670c8a6580
--- /dev/null
+++ b/ChangeLog.d/issue4361.txt
@@ -0,0 +1,2 @@
+Removals
+   * Remove the MBEDTLS_SSL_RECORD_CHECKING option. Fixes #4361.
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 603d985ae0..aa69848c78 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -1467,20 +1467,6 @@
  */
 #define MBEDTLS_SSL_ALL_ALERT_MESSAGES
 
-/**
- * \def MBEDTLS_SSL_RECORD_CHECKING
- *
- * Enable the function mbedtls_ssl_check_record() which can be used to check
- * the validity and authenticity of an incoming record, to verify that it has
- * not been seen before. These checks are performed without modifying the
- * externally visible state of the SSL context.
- *
- * See mbedtls_ssl_check_record() for more information.
- *
- * Uncomment to enable support for record checking.
- */
-#define MBEDTLS_SSL_RECORD_CHECKING
-
 /**
  * \def MBEDTLS_SSL_DTLS_CONNECTION_ID
  *
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 40814e660d..a47631c94f 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1795,7 +1795,6 @@ void mbedtls_ssl_set_verify( mbedtls_ssl_context *ssl,
  */
 void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout );
 
-#if defined(MBEDTLS_SSL_RECORD_CHECKING)
 /**
  * \brief          Check whether a buffer contains a valid and authentic record
  *                 that has not been seen before. (DTLS only).
@@ -1843,7 +1842,6 @@ void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout )
 int mbedtls_ssl_check_record( mbedtls_ssl_context const *ssl,
                               unsigned char *buf,
                               size_t buflen );
-#endif /* MBEDTLS_SSL_RECORD_CHECKING */
 
 /**
  * \brief          Set the timer callbacks (Mandatory for DTLS.)
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 3956a67d27..c2fcdcbfd2 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -86,7 +86,6 @@ int mbedtls_ssl_check_timer( mbedtls_ssl_context *ssl )
     return( 0 );
 }
 
-#if defined(MBEDTLS_SSL_RECORD_CHECKING)
 static int ssl_parse_record_header( mbedtls_ssl_context const *ssl,
                                     unsigned char *buf,
                                     size_t len,
@@ -150,7 +149,6 @@ exit:
     MBEDTLS_SSL_DEBUG_MSG( 1, ( "<= mbedtls_ssl_check_record" ) );
     return( ret );
 }
-#endif /* MBEDTLS_SSL_RECORD_CHECKING */
 
 #define SSL_DONT_FORCE_FLUSH 0
 #define SSL_FORCE_FLUSH      1
diff --git a/library/version_features.c b/library/version_features.c
index d2de8957d2..b42fb29aa1 100644
--- a/library/version_features.c
+++ b/library/version_features.c
@@ -468,9 +468,6 @@ static const char * const features[] = {
 #if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
     "MBEDTLS_SSL_ALL_ALERT_MESSAGES",
 #endif /* MBEDTLS_SSL_ALL_ALERT_MESSAGES */
-#if defined(MBEDTLS_SSL_RECORD_CHECKING)
-    "MBEDTLS_SSL_RECORD_CHECKING",
-#endif /* MBEDTLS_SSL_RECORD_CHECKING */
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
     "MBEDTLS_SSL_DTLS_CONNECTION_ID",
 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
diff --git a/programs/ssl/ssl_test_common_source.c b/programs/ssl/ssl_test_common_source.c
index 73457a1390..fd7eacf6d8 100644
--- a/programs/ssl/ssl_test_common_source.c
+++ b/programs/ssl/ssl_test_common_source.c
@@ -159,7 +159,6 @@ int dtls_srtp_key_derivation( void *p_expkey,
 
 #endif /* MBEDTLS_SSL_EXPORT_KEYS */
 
-#if defined(MBEDTLS_SSL_RECORD_CHECKING)
 int ssl_check_record( mbedtls_ssl_context const *ssl,
                       unsigned char const *buf, size_t len )
 {
@@ -220,7 +219,6 @@ int ssl_check_record( mbedtls_ssl_context const *ssl,
 
     return( 0 );
 }
-#endif /* MBEDTLS_SSL_RECORD_CHECKING */
 
 int recv_cb( void *ctx, unsigned char *buf, size_t len )
 {
@@ -241,10 +239,8 @@ int recv_cb( void *ctx, unsigned char *buf, size_t len )
         /* Here's the place to do any datagram/record checking
          * in between receiving the packet from the underlying
          * transport and passing it on to the TLS stack. */
-#if defined(MBEDTLS_SSL_RECORD_CHECKING)
         if( ssl_check_record( io_ctx->ssl, buf, recv_len ) != 0 )
             return( -1 );
-#endif /* MBEDTLS_SSL_RECORD_CHECKING */
     }
 
     return( (int) recv_len );
@@ -267,10 +263,8 @@ int recv_timeout_cb( void *ctx, unsigned char *buf, size_t len,
         /* Here's the place to do any datagram/record checking
          * in between receiving the packet from the underlying
          * transport and passing it on to the TLS stack. */
-#if defined(MBEDTLS_SSL_RECORD_CHECKING)
         if( ssl_check_record( io_ctx->ssl, buf, recv_len ) != 0 )
             return( -1 );
-#endif /* MBEDTLS_SSL_RECORD_CHECKING */
     }
 
     return( (int) recv_len );
diff --git a/programs/test/query_config.c b/programs/test/query_config.c
index 450e2fbbf0..cf7b3032f6 100644
--- a/programs/test/query_config.c
+++ b/programs/test/query_config.c
@@ -1299,14 +1299,6 @@ int query_config( const char *config )
     }
 #endif /* MBEDTLS_SSL_ALL_ALERT_MESSAGES */
 
-#if defined(MBEDTLS_SSL_RECORD_CHECKING)
-    if( strcmp( "MBEDTLS_SSL_RECORD_CHECKING", config ) == 0 )
-    {
-        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_RECORD_CHECKING );
-        return( 0 );
-    }
-#endif /* MBEDTLS_SSL_RECORD_CHECKING */
-
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
     if( strcmp( "MBEDTLS_SSL_DTLS_CONNECTION_ID", config ) == 0 )
     {