diff --git a/configure.ac b/configure.ac
index bb92df7e..f48ea1fb 100644
--- a/configure.ac
+++ b/configure.ac
@@ -450,8 +450,6 @@ case "$ssl_library" in
 	oldcflags="$CFLAGS"
 	LIBS="$LIBS $GNUTLS_LIBS"
 	CFLAGS="$CFLAGS $GNUTLS_CFLAGS"
-	AC_CHECK_FUNC(gnutls_dtls_set_data_mtu,
-		      [AC_DEFINE(HAVE_GNUTLS_DTLS_SET_DATA_MTU, 1, [From GnuTLS 3.0.20])], [])
 	AC_CHECK_FUNC(gnutls_pkcs11_get_raw_issuer,
 		      [AC_DEFINE(HAVE_GNUTLS_PKCS11_GET_RAW_ISSUER, 1, [From GnuTLS 3.2.7])], [])
 	AC_CHECK_FUNC(gnutls_certificate_set_x509_system_trust,
diff --git a/gnutls-dtls.c b/gnutls-dtls.c
index 4b515a7b..7d15be6c 100644
--- a/gnutls-dtls.c
+++ b/gnutls-dtls.c
@@ -354,7 +354,6 @@ int dtls_try_handshake(struct openconnect_info *vpninfo)
 				return -EIO;
 			}
 
-#ifdef HAVE_GNUTLS_DTLS_SET_DATA_MTU
 			/* Make sure GnuTLS's idea of the MTU is sufficient to take
 			   a full VPN MTU (with 1-byte header) in a data record. */
 			err = gnutls_dtls_set_data_mtu(vpninfo->dtls_ssl, vpninfo->ip_info.mtu + 1);
@@ -364,14 +363,6 @@ int dtls_try_handshake(struct openconnect_info *vpninfo)
 					     gnutls_strerror(err));
 				goto error;
 			}
-#else
-			/* If we don't have gnutls_dtls_set_data_mtu() then make sure
-			   we leave enough headroom by adding the worst-case overhead.
-			   We only support AES128-CBC and DES-CBC3-SHA anyway, so
-			   working out the worst case isn't hard. */
-			gnutls_dtls_set_mtu(vpninfo->dtls_ssl,
-					    vpninfo->ip_info.mtu + DTLS_OVERHEAD);
-#endif
 		}
 
 		vpninfo->dtls_state = DTLS_CONNECTED;