diff -r fd324464f56f -r 198ad9d8cec1 src/server/daemon/httplistener.c
--- a/src/server/daemon/httplistener.c	Mon Dec 26 16:46:55 2016 +0100
+++ b/src/server/daemon/httplistener.c	Tue Dec 27 11:16:39 2016 +0100
@@ -160,12 +160,77 @@
     listener->ref = 1;
     listener->next = NULL;
     listener->ssl = NULL;
+    
+    int error = 0;
+    
     if(conf->ssl) {
         listener->ssl = malloc(sizeof(HttpSSL));
         
-        SSL_CTX *ctx = SSL_CTX_new( SSLv23_server_method());
-        SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
+        SSL_CTX *ctx = SSL_CTX_new(SSLv23_server_method());
+        SSL_CTX_set_options(
+                ctx,
+                SSL_OP_SINGLE_DH_USE | SSL_OP_NO_SSLv3);
+        if(conf->disable_proto.ptr) {
+            ssize_t n = 0;
+            sstr_t *plist = sstrsplit(conf->disable_proto, S(","), &n);
+            if(plist) {
+                for(int i=0;i<n;i++) {
+                    sstr_t proto = plist[i];
+                    log_ereport(
+                            LOG_VERBOSE,
+                            "Listener %s: Disable protocol %s",
+                            listener->name.ptr,
+                            proto.ptr);
+                    if(!sstrcasecmp(sstrtrim(proto), S("SSLv2"))) {
+                        SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+                    } else if(!sstrcasecmp(sstrtrim(proto), S("SSLv3"))) {
+                        SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3);
+                    } else if(!sstrcasecmp(sstrtrim(proto), S("TLSv1"))) {
+                        SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
+                    } else if(!sstrcasecmp(sstrtrim(proto), S("TLSv1.1"))) {
+#ifdef SSL_OP_NO_TLSv1_1
+                        SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1);
+#else
+                        log_ereport(
+                                LOG_WARN,
+                                "Listener: %s: TLSv1.1 already not supported",
+                                listener->name.ptr);
+#endif
+                    } else if(sstrcasecmp(sstrtrim(proto), S("TLSv1.2"))) {
+#ifdef SSL_OP_NO_TLSv1_2
+                        SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2);
+#else
+                        log_ereport(
+                                LOG_WARN,
+                                "Listener: %s: TLSv1.2 already not supported",
+                                listener->name.ptr);
+#endif
+                    } else if(sstrcasecmp(sstrtrim(proto), S("TLSv1.3"))) {
+#ifdef SSL_OP_NO_TLSv1_3
+                        SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_3);
+#else
+                        log_ereport(
+                                LOG_WARN,
+                                "Listener: %s: TLSv1.3 already not supported",
+                                listener->name.ptr);
+#endif
+                    } else {
+                        error = 1;
+                        log_ereport(
+                                LOG_MISCONFIG,
+                                "Listener: %s: Unknown protocol %s",
+                                listener->name.ptr,
+                                proto.ptr);
+                    }
+                    free(proto.ptr);
+                }
+                free(plist);
+            }
+        }
         
+        if(error) {
+            return NULL;
+        }
         // TODO: cleanup on error
         
         sstr_t file;