diff --git a/SOURCES/README.rpm b/SOURCES/README.rpm
deleted file mode 100644
index 1ed8fa0..0000000
--- a/SOURCES/README.rpm
+++ /dev/null
@@ -1,34 +0,0 @@
----------------
-Cyrus IMAPd RPM
----------------
-
-This is a _very_ 'quick and dirty' install howto.
-
-The following steps should lead you to a running Cyrus IMAP server:
-
-1)  Install on a distribution which is supported by this RPM. Don't install
-    on a dirty system, where you have previously installed from source.
-2)  Don't install if you have a previous Cyrus IMAPd installation <=2.1.x on
-    your box. Upgrading any Invoca rpm based installation should be fine.
-3)  Make sure you understand that this RPM installs in FHS compliant
-    directories, like /var/lib/imap and /var/spool/imap
-4)  Make sure cyrus-sasl is installed.
-5)  Make sure saslauthd is running. If not, edit /etc/sysconfig/saslauthd as
-    needed and do 'chkconfig saslauthd on ; service saslauthd start'
-6)  Install the cyrus-imapd RPMs.
-7)  If it's your first install of Cyrus IMAPd, then set a password for the
-    cyrus user in whatever database you are using to authenticate. When
-    using a local account, this should be 'passwd cyrus'.
-8)  Make sure your MTA delivers to Cyrus IMAPd, I recommend LMTP for this.
-9)  Start Cyrus IMAPd with 'service cyrus-imapd start'
-10) Run cyradm and create a user. Usually it's something like this:
-    'cyradm --user=cyrus --auth=login localhost'
-11) If you're using sendmail, be aware that cyrusv2.m4 included in standard
-    sendmail distribution uses socket /var/imap/socket/lmtp while this rpm
-    uses /var/lib/imap/socket/lmtp.
-12) Check your syslog configuration. This RPM uses the mail facility to log
-    messages. On busy sites you may want to limit the mail facility to the
-    info priority with something like 'mail.info    /var/log/maillog' in
-    /etc/syslog.conf.
-
-Enjoy!
diff --git a/SOURCES/cyrus-imapd-2.3.16-tlsconfig.patch b/SOURCES/cyrus-imapd-2.3.16-tlsconfig.patch
new file mode 100644
index 0000000..28d5e09
--- /dev/null
+++ b/SOURCES/cyrus-imapd-2.3.16-tlsconfig.patch
@@ -0,0 +1,108 @@
+New settings:
+
+    tls_prefer_server_ciphers: 0
+
+        Prefer the cipher order configured on the server-side.
+
+    tls_versions: ssl2 ssl3 tls1_0 tls1_1 tls1_2
+
+        Disable SSL/TLS protocols not in this list.
+
+diff --git a/imap/tls.c b/imap/tls.c
+index b2cf666..5a626e2 100644
+--- a/imap/tls.c
++++ b/imap/tls.c
+@@ -632,6 +632,7 @@ int     tls_init_serverengine(const char *ident,
+     const char   *s_cert_file;
+     const char   *s_key_file;
+     int    requirecert;
++    int    server_cipher_order;
+     int    timeout;
+ 
+     if (tls_serverengine)
+@@ -663,10 +657,40 @@ int     tls_init_serverengine(const char *ident,
+     };
+ 
+     off |= SSL_OP_ALL;		/* Work around all known bugs */
+-    if (tlsonly) {
+-	off |= SSL_OP_NO_SSLv2;
+-	off |= SSL_OP_NO_SSLv3;
++
++    const char *tls_versions = config_getstring(IMAPOPT_TLS_VERSIONS);
++
++    if (strstr(tls_versions, "ssl2") == NULL || tlsonly) {
++    off |= SSL_OP_NO_SSLv2;
++    }
++
++    if (strstr(tls_versions, "ssl3") == NULL || tlsonly) {
++    off |= SSL_OP_NO_SSLv3;
++    }
++
++    if (strstr(tls_versions, "tls1_2") == NULL) {
++#if (OPENSSL_VERSION_NUMBER >= 0x1000105fL)
++    off |= SSL_OP_NO_TLSv1_2;
++#else
++    syslog(LOG_ERR, "ERROR: TLSv1.2 configured, OpenSSL < 1.0.1e insufficient");
++#endif
+     }
++
++    if (strstr(tls_versions, "tls1_1") == NULL) {
++#if (OPENSSL_VERSION_NUMBER >= 0x1000000fL)
++    off |= SSL_OP_NO_TLSv1_1;
++#else
++    syslog(LOG_ERR, "ERROR: TLSv1.1 configured, OpenSSL < 1.0.0 insufficient");
++#endif
++    }
++    if (strstr(tls_versions, "tls1_0") == NULL) {
++    off |= SSL_OP_NO_TLSv1;
++    }
++
++    server_cipher_order = config_getswitch(IMAPOPT_TLS_PREFER_SERVER_CIPHERS);
++    if (server_cipher_order)
++        off |= SSL_OP_CIPHER_SERVER_PREFERENCE;
++
+     SSL_CTX_set_options(s_ctx, off);
+     SSL_CTX_set_info_callback(s_ctx, (void (*)()) apps_ssl_info_callback);
+ 
+@@ -1196,7 +1220,7 @@ int tls_init_clientengine(int verifydepth,
+ 	return -1;
+     }
+     
+-    c_ctx = SSL_CTX_new(TLSv1_client_method());
++    c_ctx = SSL_CTX_new(SSLv23_client_method());
+     if (c_ctx == NULL) {
+ 	return (-1);
+     };
+diff --git a/imtest/imtest.c b/imtest/imtest.c
+index 01ac72c..50d115d 100644
+--- a/imtest/imtest.c
++++ b/imtest/imtest.c
+@@ -510,7 +510,7 @@ static int tls_init_clientengine(int verifydepth, char *var_tls_cert_file, char
+ 	return IMTEST_FAIL;
+     }
+     
+-    tls_ctx = SSL_CTX_new(TLSv1_client_method());
++    tls_ctx = SSL_CTX_new(SSLv23_client_method());
+     if (tls_ctx == NULL) {
+ 	return IMTEST_FAIL;
+     };
+Index: cyrus-imapd-2.3.16/lib/imapoptions
+===================================================================
+--- cyrus-imapd-2.3.16.orig/lib/imapoptions
++++ cyrus-imapd-2.3.16/lib/imapoptions
+@@ -1288,6 +1288,15 @@ product version in the capabilities */
+    the special use flag "\Drafts" added.  Later versions of Cyrus
+    have a much more flexible RFC 6154 compatible system.  */
+ 
++{ "tls_prefer_server_ciphers", 0, SWITCH }
++/* Prefer the ciphers on the server side instead of client side */
++
++{ "tls_versions", "ssl2 ssl3 tls1_0 tls1_1 tls1_2", STRING }
++/* A list of SSL/TLS versions to not disable. Cyrus IMAP SSL/TLS starts
++   with all protocols, and substracts protocols not in this list. Newer
++   versions of SSL/TLS will need to be added here to allow them to get
++   disabled. */
++
+ /*
+ .SH SEE ALSO
+ .PP
diff --git a/SPECS/cyrus-imapd.spec b/SPECS/cyrus-imapd.spec
index 186f95e..1e4e0b1 100644
--- a/SPECS/cyrus-imapd.spec
+++ b/SPECS/cyrus-imapd.spec
@@ -1,6 +1,6 @@
 Name: cyrus-imapd
 Version: 2.4.17
-Release: 7%{?dist}
+Release: 8%{?dist}
 
 %define ssl_pem_file %{_sysconfdir}/pki/%{name}/%{name}.pem
 
@@ -39,6 +39,9 @@ Patch6: cyrus-imapd-2.3.12p2-current-db.patch
 
 # for c-i <= 2.4.12
 Patch8: cyrus-imapd-2.4.12-debugopt.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1196210
+# https://access.redhat.com/security/cve/CVE-2014-3566
+Patch9: cyrus-imapd-2.3.16-tlsconfig.patch
 
 BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 
@@ -117,6 +120,7 @@ one running the server.
 %patch4 -p1 -b .authid_normalize
 %patch6 -p1 -b .libdb
 %patch8 -p1 -b .debugopt
+%patch9 -p1
 
 install -m 644 %{SOURCE11} doc/
 
@@ -468,6 +472,9 @@ fi
 %{_mandir}/man1/*
 
 %changelog
+* Thu Mar 19 2015 Pavel Šimerda <psimerda@redhat.com> - 2.4.17-8
+- Resolves: #1196210 - backport method to disable SSLv3
+
 * Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 2.4.17-7
 - Mass rebuild 2014-01-24