diff --git a/configure.ac b/configure.ac
index f06822354..0f9606038 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2217,7 +2217,7 @@ AC_ARG_WITH([ntru],
     [AS_HELP_STRING([--with-ntru=PATH],[Path to NTRU install (default /usr/)])],
     [
         AC_MSG_CHECKING([for NTRU])
-        CPPFLAGS="$CPPFLAGS -DHAVE_NTRU -DHAVE_QSH -DHAVE_TLS_EXTENSIONS"
+        CPPFLAGS="$CPPFLAGS -DHAVE_NTRU -DHAVE_TLS_EXTENSIONS"
         LIBS="$LIBS -lntruencrypt"
 
         AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <libntruencrypt/ntru_crypto_drbg.h>]], [[ ntru_crypto_drbg_instantiate(0, 0, 0, 0, 0); ]])], [ ntru_linked=yes ],[ ntru_linked=no ])
@@ -2245,7 +2245,7 @@ AC_ARG_WITH([ntru],
             AC_MSG_RESULT([yes])
         fi
 
-        AM_CFLAGS="$AM_CFLAGS -DHAVE_NTRU -DHAVE_QSH -DHAVE_TLS_EXTENSIONS"
+        AM_CFLAGS="$AM_CFLAGS -DHAVE_NTRU -DHAVE_TLS_EXTENSIONS"
         ENABLED_NTRU="yes"
     ]
 )
@@ -2253,6 +2253,24 @@ AC_ARG_WITH([ntru],
 AM_CONDITIONAL([BUILD_NTRU], [test "x$ENABLED_NTRU" = "xyes"])
 
 
+# QSH
+AC_ARG_ENABLE([qsh],
+    [AS_HELP_STRING([--enable-qsh],[Enable QSH (default: disabled)])],
+    [ ENABLED_QSH=$enableval ],
+    [ ENABLED_QSH=no ]
+    )
+
+if test "x$ENABLED_QSH" = "xyes"
+then
+    if test "x$ENABLED_NTRU" = "xno"
+    then
+        AC_MSG_ERROR([cannot enable qsh without NTRU])
+    fi
+
+    AM_CFLAGS="$AM_CFLAGS -DHAVE_QSH"
+fi
+
+
 # Whitewood netRandom client library
 ENABLED_WNR="no"
 trywnrdir=""
@@ -3898,6 +3916,7 @@ echo "   * Persistent cert    cache:   $ENABLED_SAVECERT"
 echo "   * Atomic User Record Layer:   $ENABLED_ATOMICUSER"
 echo "   * Public Key Callbacks:       $ENABLED_PKCALLBACKS"
 echo "   * NTRU:                       $ENABLED_NTRU"
+echo "   * QSH:                        $ENABLED_QSH"
 echo "   * Whitewood netRandom:        $ENABLED_WNR"
 echo "   * Server Name Indication:     $ENABLED_SNI"
 echo "   * ALPN:                       $ENABLED_ALPN"
diff --git a/src/tls.c b/src/tls.c
index c79523316..477860c3c 100755
--- a/src/tls.c
+++ b/src/tls.c
@@ -51,10 +51,10 @@
 #ifdef HAVE_QSH
     static int TLSX_AddQSHKey(QSHKey** list, QSHKey* key);
     static byte* TLSX_QSHKeyFind_Pub(QSHKey* qsh, word16* pubLen, word16 name);
-#endif
-#if defined(HAVE_NTRU) || defined(HAVE_QSH)
+#if defined(HAVE_NTRU)
     static int TLSX_CreateNtruKey(WOLFSSL* ssl, int type);
 #endif
+#endif /* HAVE_QSH */
 
 
 #ifndef NO_TLS
@@ -3708,12 +3708,12 @@ int TLSX_UseSessionTicket(TLSX** extensions, SessionTicket* ticket, void* heap)
 /* Quantum-Safe-Hybrid                                                        */
 /******************************************************************************/
 
+#ifdef HAVE_QSH
 #if defined(HAVE_NTRU)
 static WC_RNG* gRng;
 static wolfSSL_Mutex* gRngMutex;
 #endif
 
-#ifdef HAVE_QSH
 static void TLSX_QSH_FreeAll(QSHScheme* list, void* heap)
 {
     QSHScheme* current;
@@ -7166,7 +7166,7 @@ static word16 TLSX_Write(TLSX* list, byte* output, byte* semaphore,
 }
 
 
-#ifdef HAVE_NTRU
+#if defined(HAVE_NTRU) && defined(HAVE_QSH)
 
 static word32 GetEntropy(unsigned char* out, word32 num_bytes)
 {
@@ -7253,11 +7253,10 @@ static int TLSX_AddQSHKey(QSHKey** list, QSHKey* key)
 }
 
 
-#if defined(HAVE_NTRU) || defined(HAVE_QSH)
+#if defined(HAVE_NTRU)
 int TLSX_CreateNtruKey(WOLFSSL* ssl, int type)
 {
     int ret = -1;
-#ifdef HAVE_NTRU
     int ntruType;
 
     /* variable declarations for NTRU*/
@@ -7320,7 +7319,6 @@ int TLSX_CreateNtruKey(WOLFSSL* ssl, int type)
     temp->next = NULL;
 
     TLSX_AddQSHKey(&ssl->QSH_Key, temp);
-#endif
 
     (void)ssl;
     (void)type;