diff -Naurp lftp-4.4.8.orig/doc/lftp.1 lftp-4.4.8/doc/lftp.1

--- lftp-4.4.8.orig/doc/lftp.1	2015-05-13 11:31:55.000000000 +0200

+++ lftp-4.4.8/doc/lftp.1	2015-05-13 16:34:46.648020240 +0200

@@ -1865,6 +1865,14 @@ when true, use Server Name Indication (S

 if set to yes, then verify server's certificate to be signed by a known

 Certificate Authority and not be on Certificate Revocation List.

 .TP

+.BR ssl:priority " (string)"

+free form priority string for GnuTLS. If built with OpenSSL the understood

+values are \fI+\fP or \fI-\fP followed by SSL3.0, TLS1.0, TLS1.1 or TLS1.2,

+separated by \fI:\fP. Example:

+.Ds

+set ssl:priority "NORMAL:-SSL3.0:-TLS1.0:-TLS1.1:+TLS1.2"

+.De

+.TP

 .BR torrent:ip " (ipv4 address)"

 IP address to send to the tracker. Specify it if you are using an HTTP proxy.

 .TP

diff -Naurp lftp-4.4.8.orig/src/lftp_ssl.cc lftp-4.4.8/src/lftp_ssl.cc

--- lftp-4.4.8.orig/src/lftp_ssl.cc	2013-03-19 13:55:58.000000000 +0100

+++ lftp-4.4.8/src/lftp_ssl.cc	2015-05-13 17:41:43.752418022 +0200

@@ -270,10 +270,20 @@ lftp_ssl_gnutls::lftp_ssl_gnutls(int fd1

    gnutls_transport_set_ptr(session,(gnutls_transport_ptr_t)fd);

-   // hack for some ftp servers

-   const char *auth=ResMgr::Query("ftp:ssl-auth", hostname);

-   if(auth && !strncmp(auth, "SSL", 3))

-      gnutls_priority_set_direct(session, "NORMAL:+SSL3.0:-TLS1.0:-TLS1.1:-TLS1.2",0);

+   const char *priority=ResMgr::Query("ssl:priority", 0);

+   if(priority && *priority)

+   {

+      int res = gnutls_priority_set_direct(session, priority, 0);

+      if(res != GNUTLS_E_SUCCESS)

+         Log::global->Format(0,"gnutls_priority_set_direct(`%s'): %s\n",priority,gnutls_strerror(res));

+   }

+   else

+   {

+      // hack for some ftp servers

+      const char *auth=ResMgr::Query("ftp:ssl-auth", hostname);

+      if(auth && !strncmp(auth, "SSL", 3))

+         gnutls_priority_set_direct(session, "NORMAL:+SSL3.0:-TLS1.0:-TLS1.1:-TLS1.2",0);

+   }

    if(h && ResMgr::QueryBool("ssl:use-sni",h)) {

       if(gnutls_server_name_set(session, GNUTLS_NAME_DNS, h, xstrlen(h)) < 0)

@@ -771,7 +781,32 @@ lftp_ssl_openssl_instance::lftp_ssl_open

 #else

    SSLeay_add_ssl_algorithms();

    ssl_ctx=SSL_CTX_new(SSLv23_client_method());

-   SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL|SSL_OP_NO_TICKET|SSL_OP_NO_SSLv2);

+   long options=SSL_OP_ALL|SSL_OP_NO_TICKET|SSL_OP_NO_SSLv2;

+   const char *priority=ResMgr::Query("ssl:priority", 0);

+   if(priority && *priority)

+   {

+      static const struct ssl_option {

+         const char name[8];

+         long option;

+      } opt_table[] ={

+	 {"-SSL3.0",SSL_OP_NO_SSLv3},

+	 {"-TLS1.0",SSL_OP_NO_TLSv1},

+	 {"-TLS1.1",SSL_OP_NO_TLSv1_1},

+	 {"-TLS1.2",SSL_OP_NO_TLSv1_2},

+	 {"",0}

+      };

+      char *to_parse=alloca_strdup(priority);

+      for(char *ptr=strtok(to_parse,":"); ptr; ptr=strtok(NULL,":")) {

+	 for(const ssl_option *opt=opt_table; opt->name[0]; opt++) {

+	    if(!strcmp(ptr,opt->name)) {

+	       options|=opt->option;

+	       Log::global->Format(9,"ssl: applied %s option\n",ptr);

+	       break;

+	    }

+	 }

+      }

+   }

+   SSL_CTX_set_options(ssl_ctx, options);

    SSL_CTX_set_cipher_list(ssl_ctx, "ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH");

    SSL_CTX_set_verify(ssl_ctx,SSL_VERIFY_PEER,lftp_ssl_openssl::verify_callback);

 //    SSL_CTX_set_default_passwd_cb(ssl_ctx,lftp_ssl_passwd_callback);

diff -Naurp lftp-4.4.8.orig/src/resource.cc lftp-4.4.8/src/resource.cc

--- lftp-4.4.8.orig/src/resource.cc	2013-03-19 14:00:36.000000000 +0100

+++ lftp-4.4.8/src/resource.cc	2015-05-13 17:57:40.885954120 +0200

@@ -354,6 +354,7 @@ static ResType lftp_vars[] = {

    {"ssl:check-hostname",	 "yes",	  ResMgr::BoolValidate,0},

    {"ssl:verify-certificate",	 "yes",	  ResMgr::BoolValidate,0},

    {"ssl:use-sni",		 "yes",	  ResMgr::BoolValidate,0},

+   {"ssl:priority",		 "",	  0,0},

 # if USE_OPENSSL

    {"ssl:ca-path",		 "",	  ResMgr::DirReadable,ResMgr::NoClosure},

    {"ssl:crl-path",		 "",	  ResMgr::DirReadable,ResMgr::NoClosure},