--- openssl-1.0.1e.rh/ssl/ssl_lib.c	2014-11-14 22:10:10.000000000 +0100
+++ openssl-1.0.1e/ssl/ssl_lib.c	2014-11-15 00:38:50.000000000 +0100
@@ -1903,6 +1903,9 @@
 	 */
 	ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
 
+	/* every new ctx should have these ancient protocols disabled */
+	ret->options |= (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
+
 	return(ret);
 err:
 	SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);