--- /dev/null
+Index: ckermit/ck_ssl.c
+===================================================================
+--- ckermit.orig/ck_ssl.c
++++ ckermit/ck_ssl.c
+@@ -1604,10 +1604,12 @@ ssl_tn_init(mode) int mode;
+ /* This can fail because we do not have RSA available */
+ if ( !ssl_ctx ) {
+ debug(F110,"ssl_tn_init","SSLv23_client_method failed",0);
++#ifndef DISABLE_SSLV3
+ ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
+ }
+ if ( !ssl_ctx ) {
+ debug(F110,"ssl_tn_init","SSLv3_client_method failed",0);
++#endif
+ last_ssl_mode = -1;
+ return(0);
+ }
+@@ -1630,10 +1632,14 @@ ssl_tn_init(mode) int mode;
+ debug(F110,"ssl_tn_init","SSLv23_client_method OK",0);
+ } else {
+ debug(F110,"ssl_tn_init","SSLv23_client_method failed",0);
++#ifndef DISABLE_SSLV3
+ tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method());
++#endif /* DISABLE_SSLV3 */
+ if ( !tls_ctx ) {
++#ifndef DISABLE_SSLV3
+ debug(F110,
+- "ssl_tn_init","TLSv1_client_method failed",0);
++ "ssl_tn_init","SSLv3_client_method failed",0);
++#endif /* DISABLE_SSLV3 */
+ debug(F110,
+ "ssl_tn_init","All SSL client methods failed",0);
+ last_ssl_mode = -1;
+@@ -1651,10 +1657,12 @@ ssl_tn_init(mode) int mode;
+ /* This can fail because we do not have RSA available */
+ if ( !ssl_ctx ) {
+ debug(F110,"ssl_tn_init","SSLv23_server_method failed",0);
++#ifndef DISABLE_SSLV3
+ ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_server_method());
+ }
+ if ( !ssl_ctx ) {
+ debug(F110,"ssl_tn_init","SSLv3_server_method failed",0);
++#endif
+ last_ssl_mode = -1;
+ return(0);
+ }
+@@ -1688,9 +1696,17 @@ ssl_tn_init(mode) int mode;
+ * that cannot read poorly written specs :-)
+ * for TLS be sure to prevent use of SSLv2
+ */
+- SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL|SSL_OP_NO_SSLv2);
++ SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL|SSL_OP_NO_SSLv2
++#ifdef DISABLE_SSLV3
++ |SSL_OP_NO_SSLv3
++#endif
++ );
+ SSL_CTX_set_options(tls_ctx,
+- SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA);
++ SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA
++#ifdef DISABLE_SSLV3
++ |SSL_OP_NO_SSLv3
++#endif
++ );
+
+ SSL_CTX_set_info_callback(ssl_ctx,ssl_client_info_callback);
+ SSL_CTX_set_info_callback(tls_ctx,ssl_client_info_callback);
+@@ -2215,7 +2231,11 @@ ssl_http_init(hostname) char * hostname;
+ * for TLS be sure to prevent use of SSLv2
+ */
+ SSL_CTX_set_options(tls_http_ctx,
+- SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA);
++ SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA
++#ifdef DISABLE_SSLV3
++ |SSL_OP_NO_SSLv3
++#endif
++ );
+
+ SSL_CTX_set_info_callback(tls_http_ctx,ssl_client_info_callback);
+
+Index: ckermit/ckcftp.c
+===================================================================
+--- ckermit.orig/ckcftp.c
++++ ckermit/ckcftp.c
+@@ -10210,9 +10210,11 @@ ssl_auth() {
+ if (ftp_bug_use_ssl_v2) {
+ /* allow SSL 2.0 or later */
+ client_method = SSLv23_client_method();
++#ifndef DISABLE_SSLV3
+ } else if (ftp_bug_use_ssl_v3) {
+ /* allow SSL 3.0 ONLY - previous default */
+ client_method = SSLv3_client_method();
++#endif /* DISABLE_SSLV3 */
+ } else {
+ /* default - allow TLS 1.0 or later */
+ client_method = TLSv1_client_method();
+@@ -10223,6 +10225,9 @@ ssl_auth() {
+ return(0);
+ SSL_CTX_set_options(ssl_ftp_ctx,
+ SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA
++#ifdef DISABLE_SSLV3
++ |SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3
++#endif
+ );
+ } else {
+ ssl_ftp_ctx = SSL_CTX_new(client_method);
+@@ -10231,6 +10236,9 @@ ssl_auth() {
+ SSL_CTX_set_options(ssl_ftp_ctx,
+ (ftp_bug_use_ssl_v2 ? 0 : SSL_OP_NO_SSLv2)|
+ SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA
++#ifdef DISABLE_SSLV3
++ |SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3
++#endif
+ );
+ }
+ SSL_CTX_set_default_passwd_cb(ssl_ftp_ctx,