diff --git a/rhn/SSL.py b/rhn/SSL.py
index c3d338868f..5ffadf5858 100644
--- a/rhn/SSL.py
+++ b/rhn/SSL.py
@@ -85,6 +85,8 @@ class SSLSocket:
         self._check_closed()
         # Get a context
         self._ctx = SSL.Context(self._ssl_method)
+        self._ctx.set_options(SSL.OP_NO_SSLv2)
+        self._ctx.set_options(SSL.OP_NO_SSLv3)
         if self._trusted_certs:
             # We have been supplied with trusted CA certs
             for f in self._trusted_certs:
diff --git a/rhnlib.spec b/rhnlib.spec
index 64d5224123..281156930a 100644
--- a/rhnlib.spec
+++ b/rhnlib.spec
@@ -5,7 +5,7 @@ Name: rhnlib
 URL:     https://github.com/spacewalkproject/spacewalk
 Source0: https://github.com/spacewalkproject/spacewalk/archive/%{name}-%{version}.tar.gz
 Version: 2.5.65
-Release: 7%{?dist}
+Release: 8%{?dist}
 
 Group: Development/Libraries
 License: GPLv2
@@ -59,6 +59,10 @@ rm -rf $RPM_BUILD_ROOT
 %{python_sitelib}/*
 
 %changelog
+* Fri Jul 27 2018 Tomas Kasparek <tkasparek@redhat.com> 2.5.65-8
+- Resolves: #1608425 - forbid old SSL versions during negotiation
+  (tkasparek@redhat.com)
+
 * Thu Oct 19 2017 Tomas Kasparek <tkasparek@redhat.com> 2.5.65-7
 - Resolves: #1503953 - upstream project has migrated to github
   (tkasparek@redhat.com)