diff --git a/rhn/SSL.py b/rhn/SSL.py
index f8a85bc..9b3c83b 100644
--- a/rhn/SSL.py
+++ b/rhn/SSL.py
@@ -89,6 +89,8 @@ class SSLSocket:
         self._check_closed()
         # Get a context
         self._ctx = SSL.Context(self._ssl_method)
+        self._ctx.set_options(SSL.OP_NO_SSLv2)
+        self._ctx.set_options(SSL.OP_NO_SSLv3)
         if self._trusted_certs:
             # We have been supplied with trusted CA certs
             for f in self._trusted_certs:
diff --git a/rhnlib.spec b/rhnlib.spec
index 1581072..1d197e9 100644
--- a/rhnlib.spec
+++ b/rhnlib.spec
@@ -7,7 +7,7 @@
 Summary: Python libraries for the Spacewalk project
 Name: rhnlib
 Version: 2.8.6
-Release: 4%{?dist}
+Release: 5%{?dist}
 URL:     https://github.com/spacewalkproject/spacewalk
 Source0: https://github.com/spacewalkproject/spacewalk/archive/%{name}-%{version}.tar.gz
 
@@ -74,6 +74,10 @@ make -f Makefile.rhnlib
 %endif
 
 %changelog
+* Fri Nov 02 2018 Tomas Kasparek <tkasparek@redhat.com> 2.8.6-5
+- Resolves: #1643415 - forbid old SSL versions during negotiation
+  (tkasparek@redhat.com)
+
 * Tue Apr 17 2018 Tomas Kasparek <tkasparek@redhat.com> 2.8.6-4
 - don't package python2 files for rhnlib (tkasparek@redhat.com)
 - be compliant with new packaging guidelines when requiring python2 packages