diff --git a/main/tcptls.c b/main/tcptls.c
index fd6d5016ede2a975d3707ef3f9215e0dbe673c07..1930d61cf374e9effe85c3decd55f0ee55e206ee 100644
--- a/main/tcptls.c
+++ b/main/tcptls.c
@@ -747,6 +747,8 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client)
 	cfg->enabled = 0;
 	return 0;
 #else
+	int disable_ssl = 0;
+ 
 	if (!cfg->enabled) {
 		return 0;
 	}
@@ -762,22 +764,21 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client)
 	if (client) {
 #ifndef OPENSSL_NO_SSL2
 		if (ast_test_flag(&cfg->flags, AST_SSL_SSLV2_CLIENT)) {
+			ast_log(LOG_WARNING, "Usage of SSLv2 is discouraged due to known vulnerabilities. Please use 'tlsv1' or leave the TLS method unspecified!\n");
 			cfg->ssl_ctx = SSL_CTX_new(SSLv2_client_method());
 		} else
 #endif
 		if (ast_test_flag(&cfg->flags, AST_SSL_SSLV3_CLIENT)) {
+			ast_log(LOG_WARNING, "Usage of SSLv3 is discouraged due to known vulnerabilities. Please use 'tlsv1' or leave the TLS method unspecified!\n");
 			cfg->ssl_ctx = SSL_CTX_new(SSLv3_client_method());
 		} else if (ast_test_flag(&cfg->flags, AST_SSL_TLSV1_CLIENT)) {
 			cfg->ssl_ctx = SSL_CTX_new(TLSv1_client_method());
 		} else {
-			/* SSLv23_client_method() sends SSLv2, this was the original
-			 * default for ssl clients before the option was given to
-			 * pick what protocol a client should use.  In order not
-			 * to break expected behavior it remains the default. */
+			disable_ssl = 1;
 			cfg->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
 		}
 	} else {
-		/* SSLv23_server_method() supports TLSv1, SSLv2, and SSLv3 inbound connections. */
+		disable_ssl = 1;
 		cfg->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
 	}
 
@@ -787,6 +788,17 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client)
 		return 0;
 	}
 
+	/* Due to the POODLE vulnerability, completely disable
+	 * SSLv2 and SSLv3 if we are not explicitly told to use
+	 * them. SSLv23_*_method supports TLSv1+.
+	 */
+	if (disable_ssl) {
+		long ssl_opts;
+
+		ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+		SSL_CTX_set_options(cfg->ssl_ctx, ssl_opts);
+	}
+
 	SSL_CTX_set_verify(cfg->ssl_ctx,
 		ast_test_flag(&cfg->flags, AST_SSL_VERIFY_CLIENT) ? SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT : SSL_VERIFY_NONE,
 		NULL);
diff --git a/res/res_xmpp.c b/res/res_xmpp.c
index b3c374871de40d67af06a5d2cb3f2ee46697aea2..3cb6fc572cdd62dd5379f56f0df30940d09f9b40 100644
--- a/res/res_xmpp.c
+++ b/res/res_xmpp.c
@@ -2637,6 +2637,7 @@ static int xmpp_client_requested_tls(struct ast_xmpp_client *client, struct ast_
 {
 #ifdef HAVE_OPENSSL
 	int sock;
+	long ssl_opts;
 #endif
 
 	if (!strcmp(iks_name(node), "success")) {
@@ -2655,11 +2656,14 @@ static int xmpp_client_requested_tls(struct ast_xmpp_client *client, struct ast_
 	ast_log(LOG_ERROR, "Somehow we managed to try to start TLS negotiation on client '%s' without OpenSSL support, disconnecting\n", client->name);
 	return -1;
 #else
-	client->ssl_method = SSLv3_method();
+	client->ssl_method = SSLv23_method();
 	if (!(client->ssl_context = SSL_CTX_new((SSL_METHOD *) client->ssl_method))) {
 		goto failure;
 	}
 
+	ssl_opts = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+	SSL_CTX_set_options(client->ssl_context, ssl_opts);
+
 	if (!(client->ssl_session = SSL_new(client->ssl_context))) {
 		goto failure;
 	}