diff --git a/client/ovpncli.cpp b/client/ovpncli.cpp
index 94595a49..56513e0d 100644
--- a/client/ovpncli.cpp
+++ b/client/ovpncli.cpp
@@ -54,7 +54,6 @@
 #define OPENVPN_DEBUG_PROTO   1        // increases low-level protocol verbosity (1)
 //#define OPENVPN_DEBUG_PROTO_DUMP     // dump hex of transport-layer packets, requires OPENVPN_DEBUG_CLIPROTO (comment out)
 //#define OPENVPN_DEBUG_VERBOSE_ERRORS // verbosely log Error::Type errors (comment out)
-#define OPENVPN_SSL_DEBUG     0        // show verbose SSL debug info (0)
 #define OPENVPN_DEBUG_TUN     2        // debug level for tun object (2)
 #define OPENVPN_DEBUG_UDPLINK 2        // debug level for UDP link object (2)
 #define OPENVPN_DEBUG_TCPLINK 2        // debug level for TCP link object (2)
@@ -369,6 +368,7 @@ namespace openvpn {
 	std::string private_key_password;
 	std::string external_pki_alias;
 	bool disable_client_cert = false;
+	int ssl_debug_level = 0;
 	int default_key_direction = -1;
 	bool force_aes_cbc_ciphersuites = false;
 	std::string tls_version_min_override;
@@ -585,6 +585,7 @@ namespace openvpn {
 	if (eval.externalPki)
 	  state->external_pki_alias = config.externalPkiAlias;
 	state->disable_client_cert = config.disableClientCert;
+	state->ssl_debug_level = config.sslDebugLevel;
 	state->default_key_direction = config.defaultKeyDirection;
 	state->force_aes_cbc_ciphersuites = config.forceAesCbcCiphersuites;
 	state->tls_version_min_override = config.tlsVersionMinOverride;
@@ -770,6 +771,11 @@ namespace openvpn {
       connect_attach();
 
       try {
+	// set global PolarSSL debug level
+#if defined(USE_POLARSSL)
+	debug_set_threshold(state->ssl_debug_level); // fixme -- using a global method for this seems wrong
+#endif
+
 	// load options
 	ClientOptions::Config cc;
 	cc.cli_stats = state->stats;
@@ -792,6 +798,7 @@ namespace openvpn {
 	  cc.remote_override = &state->remote_override;
 	cc.private_key_password = state->private_key_password;
 	cc.disable_client_cert = state->disable_client_cert;
+	cc.ssl_debug_level = state->ssl_debug_level;
 	cc.default_key_direction = state->default_key_direction;
 	cc.force_aes_cbc_ciphersuites = state->force_aes_cbc_ciphersuites;
 	cc.tls_version_min_override = state->tls_version_min_override;
diff --git a/client/ovpncli.hpp b/client/ovpncli.hpp
index 8d13bffd..e48129cd 100644
--- a/client/ovpncli.hpp
+++ b/client/ovpncli.hpp
@@ -200,6 +200,9 @@ namespace openvpn {
       // If true, don't send client cert/key to peer.
       bool disableClientCert = false;
 
+      // SSL library debug level
+      int sslDebugLevel = 0;
+
       // Compression mode, one of:
       // yes -- allow compression on both uplink and downlink
       // asym -- allow compression on downlink only (i.e. server -> client)
diff --git a/openvpn/client/cliopt.hpp b/openvpn/client/cliopt.hpp
index 6630200e..d69f54bf 100644
--- a/openvpn/client/cliopt.hpp
+++ b/openvpn/client/cliopt.hpp
@@ -129,6 +129,7 @@ namespace openvpn {
       bool google_dns_fallback = false;
       std::string private_key_password;
       bool disable_client_cert = false;
+      int ssl_debug_level = 0;
       int default_key_direction = -1;
       bool force_aes_cbc_ciphersuites = false;
       bool autologin_sessions = false;
@@ -212,9 +213,7 @@ namespace openvpn {
       cc->set_external_pki_callback(config.external_pki);
       cc->set_frame(frame);
       cc->set_flags(SSLConst::LOG_VERIFY_STATUS);
-#ifdef OPENVPN_SSL_DEBUG
-      cc->set_debug_level(OPENVPN_SSL_DEBUG);
-#endif
+      cc->set_debug_level(config.ssl_debug_level);
       cc->set_rng(rng);
       cc->set_local_cert_enabled(pcc.clientCertEnabled() && !config.disable_client_cert);
       cc->set_private_key_password(config.private_key_password);
diff --git a/test/ovpncli/cli.cpp b/test/ovpncli/cli.cpp
index 44d7c167..20063658 100644
--- a/test/ovpncli/cli.cpp
+++ b/test/ovpncli/cli.cpp
@@ -272,6 +272,7 @@ int openvpn_client(int argc, char *argv[], const std::string* profile_content)
     { "merge",          no_argument,        nullptr,      'm' },
     { "version",        no_argument,        nullptr,      'v' },
     { "auto-sess",      no_argument,        nullptr,      'a' },
+    { "ssl-debug",      required_argument,  nullptr,       1  },
     { nullptr,          0,                  nullptr,       0  }
   };
 
@@ -308,6 +309,7 @@ int openvpn_client(int argc, char *argv[], const std::string* profile_content)
 	bool proxyAllowCleartextAuth = false;
 	int defaultKeyDirection = -1;
 	bool forceAesCbcCiphersuites = false;
+	int sslDebugLevel = 0;
 	bool googleDnsFallback = false;
 	bool autologinSessions = false;
 	bool tunPersist = false;
@@ -322,6 +324,9 @@ int openvpn_client(int argc, char *argv[], const std::string* profile_content)
 	  {
 	    switch (ch)
 	      {
+	      case 1:
+		sslDebugLevel = ::atoi(optarg);
+		break;
 	      case 'e':
 		eval = true;
 		break;
@@ -482,6 +487,7 @@ int openvpn_client(int argc, char *argv[], const std::string* profile_content)
 	      config.dco = dco;
 	      config.defaultKeyDirection = defaultKeyDirection;
 	      config.forceAesCbcCiphersuites = forceAesCbcCiphersuites;
+	      config.sslDebugLevel = sslDebugLevel;
 	      config.googleDnsFallback = googleDnsFallback;
 	      config.autologinSessions = autologinSessions;
 	      config.tunPersist = tunPersist;
@@ -649,6 +655,7 @@ int openvpn_client(int argc, char *argv[], const std::string* profile_content)
       std::cout << "--no-cert, -x        : disable client certificate" << std::endl;
       std::cout << "--def-keydir, -k     : default key direction ('bi', '0', or '1')" << std::endl;
       std::cout << "--force-aes-cbc, -f  : force AES-CBC ciphersuites" << std::endl;
+      std::cerr << "--ssl-debug          : SSL debug level" << std::endl;
       std::cout << "--google-dns, -g     : enable Google DNS fallback" << std::endl;
       std::cout << "--auto-sess, -a      : request autologin session" << std::endl;
       std::cout << "--persist-tun, -j    : keep TUN interface open across reconnects" << std::endl;