52d0d3
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
52d0d3
index 345914f..d23967f 100644
52d0d3
--- a/src/event/ngx_event_openssl.c
52d0d3
+++ b/src/event/ngx_event_openssl.c
52d0d3
@@ -252,6 +252,8 @@ ngx_ssl_init(ngx_log_t *log)
52d0d3
 ngx_int_t
52d0d3
 ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
52d0d3
 {
52d0d3
+    ngx_uint_t prot = NGX_SSL_NO_PROT;
52d0d3
+
52d0d3
     ssl->ctx = SSL_CTX_new(SSLv23_method());
52d0d3
 
52d0d3
     if (ssl->ctx == NULL) {
52d0d3
@@ -316,49 +318,54 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
52d0d3
 
52d0d3
     SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
52d0d3
 
52d0d3
-#if OPENSSL_VERSION_NUMBER >= 0x009080dfL
52d0d3
-    /* only in 0.9.8m+ */
52d0d3
-    SSL_CTX_clear_options(ssl->ctx,
52d0d3
-                          SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1);
52d0d3
-#endif
52d0d3
-
52d0d3
-    if (!(protocols & NGX_SSL_SSLv2)) {
52d0d3
-        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2);
52d0d3
-    }
52d0d3
-    if (!(protocols & NGX_SSL_SSLv3)) {
52d0d3
-        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3);
52d0d3
-    }
52d0d3
-    if (!(protocols & NGX_SSL_TLSv1)) {
52d0d3
-        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1);
52d0d3
-    }
52d0d3
-#ifdef SSL_OP_NO_TLSv1_1
52d0d3
-    SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
52d0d3
-    if (!(protocols & NGX_SSL_TLSv1_1)) {
52d0d3
-        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1);
52d0d3
-    }
52d0d3
+    if (protocols){
52d0d3
+#ifdef SSL_OP_NO_TLSv1_3
52d0d3
+        if (protocols & NGX_SSL_TLSv1_3) {
52d0d3
+            prot = TLS1_3_VERSION;
52d0d3
+        } else
52d0d3
 #endif
52d0d3
 #ifdef SSL_OP_NO_TLSv1_2
52d0d3
-    SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
52d0d3
-    if (!(protocols & NGX_SSL_TLSv1_2)) {
52d0d3
-        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2);
52d0d3
-    }
52d0d3
+        if (protocols & NGX_SSL_TLSv1_2) {
52d0d3
+            prot =  TLS1_2_VERSION;
52d0d3
+        } else
52d0d3
 #endif
52d0d3
-#ifdef SSL_OP_NO_TLSv1_3
52d0d3
-    SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
52d0d3
-    if (!(protocols & NGX_SSL_TLSv1_3)) {
52d0d3
-        SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_3);
52d0d3
-    }
52d0d3
+#ifdef SSL_OP_NO_TLSv1_1
52d0d3
+        if (protocols & NGX_SSL_TLSv1_1) {
52d0d3
+            prot = TLS1_1_VERSION;
52d0d3
+        } else
52d0d3
 #endif
52d0d3
+        if (protocols & NGX_SSL_TLSv1) {
52d0d3
+            prot = TLS1_VERSION;
52d0d3
+        }
52d0d3
+
52d0d3
+        if (prot == NGX_SSL_NO_PROT) {
52d0d3
+                    ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
52d0d3
+                      "No SSL protocols available [hint: ssl_protocols]");
52d0d3
+            return NGX_ERROR;
52d0d3
+        }
52d0d3
 
52d0d3
-#ifdef SSL_CTX_set_min_proto_version
52d0d3
-    SSL_CTX_set_min_proto_version(ssl->ctx, 0);
52d0d3
-    SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION);
52d0d3
+        SSL_CTX_set_max_proto_version(ssl->ctx, prot);
52d0d3
+
52d0d3
+        /* Now, we have to scan for minimal protocol version,
52d0d3
+         *without allowing holes between min and max*/
52d0d3
+#if SSL_OP_NO_TLSv1_3
52d0d3
+        if ((prot == TLS1_3_VERSION) && (protocols & NGX_SSL_TLSv1_2)) {
52d0d3
+            prot = TLS1_2_VERSION;
52d0d3
+        }
52d0d3
 #endif
52d0d3
 
52d0d3
-#ifdef TLS1_3_VERSION
52d0d3
-    SSL_CTX_set_min_proto_version(ssl->ctx, 0);
52d0d3
-    SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION);
52d0d3
+#ifdef SSL_OP_NO_TLSv1_1
52d0d3
+        if ((prot == TLS1_2_VERSION) && (protocols & NGX_SSL_TLSv1_1)) {
52d0d3
+            prot = TLS1_1_VERSION;
52d0d3
+        }
52d0d3
+#endif
52d0d3
+#ifdef SSL_OP_NO_TLSv1_2
52d0d3
+        if ((prot == TLS1_1_VERSION) && (protocols & NGX_SSL_TLSv1)) {
52d0d3
+            prot = TLS1_VERSION;
52d0d3
+        }
52d0d3
 #endif
52d0d3
+        SSL_CTX_set_min_proto_version(ssl->ctx, prot);
52d0d3
+    }
52d0d3
 
52d0d3
 #ifdef SSL_OP_NO_COMPRESSION
52d0d3
     SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
52d0d3
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
52d0d3
index 61da0c5..fa7ac41 100644
52d0d3
--- a/src/event/ngx_event_openssl.h
52d0d3
+++ b/src/event/ngx_event_openssl.h
52d0d3
@@ -145,6 +145,7 @@ typedef struct {
52d0d3
 #endif
52d0d3
 
52d0d3
 
52d0d3
+#define NGX_SSL_NO_PROT  0x0000
52d0d3
 #define NGX_SSL_SSLv2    0x0002
52d0d3
 #define NGX_SSL_SSLv3    0x0004
52d0d3
 #define NGX_SSL_TLSv1    0x0008
52d0d3
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
52d0d3
index b3f8f47..8340a12 100644
52d0d3
--- a/src/http/modules/ngx_http_ssl_module.c
52d0d3
+++ b/src/http/modules/ngx_http_ssl_module.c
52d0d3
@@ -613,8 +613,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
52d0d3
     ngx_conf_merge_value(conf->early_data, prev->early_data, 0);
52d0d3
 
52d0d3
     ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
52d0d3
-                         (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
52d0d3
-                          |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
52d0d3
+                         0)
52d0d3
 
52d0d3
     ngx_conf_merge_size_value(conf->buffer_size, prev->buffer_size,
52d0d3
                          NGX_SSL_BUFSIZE);
52d0d3
diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c
52d0d3
index 5544f75..3316a4b 100644
52d0d3
--- a/src/mail/ngx_mail_ssl_module.c
52d0d3
+++ b/src/mail/ngx_mail_ssl_module.c
52d0d3
@@ -291,8 +291,7 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
52d0d3
                          prev->prefer_server_ciphers, 0);
52d0d3
 
52d0d3
     ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
52d0d3
-                         (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
52d0d3
-                          |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
52d0d3
+                         0);
52d0d3
 
52d0d3
     ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
52d0d3
     ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
52d0d3
diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
52d0d3
index ec9524e..37af046 100644
52d0d3
--- a/src/stream/ngx_stream_ssl_module.c
52d0d3
+++ b/src/stream/ngx_stream_ssl_module.c
52d0d3
@@ -625,8 +625,7 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
52d0d3
                          prev->prefer_server_ciphers, 0);
52d0d3
 
52d0d3
     ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
52d0d3
-                         (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
52d0d3
-                          |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2));
52d0d3
+                         0);
52d0d3
 
52d0d3
     ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
52d0d3
     ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);