Index: a/doc/pod/inn.conf.pod
===================================================================
--- a/doc/pod/inn.conf.pod	(revision 9744)
+++ a/doc/pod/inn.conf.pod	(revision 9745)
@@ -1015,6 +1015,9 @@
 =back
 
-Finally, here are the parameters used by nnrpd(8) to provide TLS/SSL
-support:
+=head2 TLS/SSL Support for Reading and Posting
+
+Here are the parameters used by nnrpd(8) to provide TLS/SSL support.
+
+The parameters related to certificates are:
 
 =over 4
@@ -1054,4 +1057,42 @@
 This file must only be readable by the news user or B<nnrpd> will refuse to
 use it.
+
+=back
+
+Finally, here are the parameters that can be used to tighten the level
+of security provided by TLS/SSL:
+
+=over 4
+
+=item I<tlsciphers>
+
+The string describing the cipher suites OpenSSL will support.  See
+OpenSSL's ciphers(1) command documentation for details.  The default
+is unset, which uses OpenSSL's default cipher suite list.
+
+=item I<tlscompression>
+
+Whether to enable or disable SSL/TLS compression support.  This is a
+boolean and the default is true.  (Note that the default value will be
+false in the next major release of INN.)
+
+=item I<tlspreferserverciphers>
+
+Whether to let the client or the server decide the preferred cipher.
+This is a boolean and the default is false, that is to say the client
+decides the preferred cipher.  (Note that the default value will be
+true in the next major release of INN.)
+
+=item I<tlsprotocols>
+
+The list of SSL/TLS protocol versions to support.  Valid protocols are
+B<SSLv2>, B<SSLv3>, B<TLSv1>, B<TLSv1.1> and B<TLSv1.2>.  The default
+value is to allow all these protocols:
+
+    tlsprotocols: [ SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2 ]
+
+Note that the default value will be to only allow TLS protocols in
+the next major release of INN (using SSLv2 and SSLv3 will be disabled
+by default).
 
 =back
Index: a/doc/pod/news.pod
===================================================================
--- a/doc/pod/news.pod	(revision 9744)
+++ a/doc/pod/news.pod	(revision 9745)
@@ -2,4 +2,12 @@
 
 =over 2
+
+=item *
+
+New F<inn.conf> parameters used by B<nnrpd> to fine-tune the SSL/TLS
+configuration have been added:  I<tlsciphers>, I<tlscompression>,
+I<tlspreferserverciphers>, and I<tlsprotocols>.  Many thanks to Christian
+Mock for his contribution that permits to tighten the level of security
+provided by TLS/SSL.
 
 =item *
Index: a/doc/pod/nnrpd.pod
===================================================================
--- a/doc/pod/nnrpd.pod	(revision 9744)
+++ a/doc/pod/nnrpd.pod	(revision 9745)
@@ -224,4 +224,9 @@
 You may need to replace C<nntps> with C<563> if C<nntps> isn't
 defined in F</etc/services> on your system.
+
+Optionally, you may set the I<tlsciphers>, I<tlscompression>,
+I<tlspreferserverciphers>, and I<tlsprotocols> parameters in F<inn.conf>
+to fine-tune the behaviour of the SSL/TLS negotiation whenever a new
+attack on the TLS protocol or some supported cipher suite is discovered.
 
 =head1 PROTOCOL DIFFERENCES
Index: a/include/inn/innconf.h
===================================================================
--- a/include/inn/innconf.h	(revision 9744)
+++ a/include/inn/innconf.h	(revision 9745)
@@ -128,4 +128,8 @@
     char *tlscertfile;          /* Path to the SSL certificate to use */
     char *tlskeyfile;           /* Path to the key for the certificate */
+    char *tlsciphers;           /* OpenSSL-style cipher string */
+    bool tlscompression;        /* Turn TLS compression on/off */
+    bool tlspreferserverciphers; /* Make server select the cipher */
+    struct vector *tlsprotocols; /* List of supported TLS versions */
 #endif /* HAVE_SSL */
 
Index: a/lib/innconf.c
===================================================================
--- a/lib/innconf.c	(revision 9744)
+++ a/lib/innconf.c	(revision 9745)
@@ -232,5 +232,9 @@
     { K(tlscertfile),             STRING  (NULL) },
     { K(tlskeyfile),              STRING  (NULL) },
-#endif /* HAVE_SSL */
+    { K(tlsciphers),              STRING  (NULL) },
+    { K(tlscompression),          BOOL    (true) },
+    { K(tlspreferserverciphers),  BOOL   (false) },
+    { K(tlsprotocols),            LIST    (NULL) },
+#endif
 
     /* The following settings are used by nnrpd and rnews. */
Index: a/nnrpd/tls.c
===================================================================
--- a/nnrpd/tls.c	(revision 9744)
+++ a/nnrpd/tls.c	(revision 9745)
@@ -426,5 +426,7 @@
 tls_init_serverengine(int verifydepth, int askcert, int requirecert,
                       char *tls_CAfile, char *tls_CApath, char *tls_cert_file,
-                      char *tls_key_file)
+                      char *tls_key_file, bool prefer_server_ciphers,
+                      bool tls_compression, struct vector *tls_proto_vect,
+                      char *tls_ciphers)
 {
     int     off = 0;
@@ -435,4 +437,6 @@
     char   *s_key_file;
     struct stat buf;
+    size_t  tls_protos = 0;
+    size_t  i;
 
     if (tls_serverengine)
@@ -494,4 +498,72 @@
     SSL_CTX_set_options(CTX, SSL_OP_SINGLE_DH_USE);
 
+    if (prefer_server_ciphers) {
+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+        SSL_CTX_set_options(CTX, SSL_OP_CIPHER_SERVER_PREFERENCE);
+#endif
+    }
+
+    if ((tls_proto_vect != NULL) && (tls_proto_vect->count > 0)) {
+        for (i = 0; i < tls_proto_vect->count; i++) {
+            if (tls_proto_vect->strings[i] != NULL) {
+                if (strcmp(tls_proto_vect->strings[i], "SSLv2") == 0) {
+                    tls_protos |= INN_TLS_SSLv2;
+                } else if (strcmp(tls_proto_vect->strings[i], "SSLv3") == 0) {
+                    tls_protos |= INN_TLS_SSLv3;
+                } else if (strcmp(tls_proto_vect->strings[i], "TLSv1") == 0) {
+                    tls_protos |= INN_TLS_TLSv1;
+                } else if (strcmp(tls_proto_vect->strings[i], "TLSv1.1") == 0) {
+                    tls_protos |= INN_TLS_TLSv1_1;
+                } else if (strcmp(tls_proto_vect->strings[i], "TLSv1.2") == 0) {
+                    tls_protos |= INN_TLS_TLSv1_2;
+                } else {
+                    syslog(L_ERROR, "TLS engine: unknown protocol '%s' in tlsprotocols",
+                           tls_proto_vect->strings[i]);
+                }
+            }
+        }
+    } else {
+        /* Default value:  allow all protocols. */
+        tls_protos = (INN_TLS_SSLv2 | INN_TLS_SSLv3 | INN_TLS_TLSv1
+                      | INN_TLS_TLSv1_1 | INN_TLS_TLSv1_2);
+    }
+
+    if ((tls_protos & INN_TLS_SSLv2) == 0) {
+        SSL_CTX_set_options(CTX, SSL_OP_NO_SSLv2);
+    }
+
+    if ((tls_protos & INN_TLS_SSLv3) == 0) {
+        SSL_CTX_set_options(CTX, SSL_OP_NO_SSLv3);
+    }
+
+    if ((tls_protos & INN_TLS_TLSv1) == 0) {
+        SSL_CTX_set_options(CTX, SSL_OP_NO_TLSv1);
+    }
+
+    if ((tls_protos & INN_TLS_TLSv1_1) == 0) {
+#ifdef SSL_OP_NO_TLSv1_1
+        SSL_CTX_set_options(CTX, SSL_OP_NO_TLSv1_1);
+#endif
+    }
+
+    if ((tls_protos & INN_TLS_TLSv1_2) == 0) {
+#ifdef SSL_OP_NO_TLSv1_2
+        SSL_CTX_set_options(CTX, SSL_OP_NO_TLSv1_2);
+#endif
+    }
+
+    if (tls_ciphers != NULL) {
+        if (SSL_CTX_set_cipher_list(CTX, tls_ciphers) == 0) {
+            syslog(L_ERROR, "TLS engine: cannot set cipher list");
+            return (-1);
+        }
+    }
+
+    if (!tls_compression) {
+#ifdef SSL_OP_NO_COMPRESSION
+        SSL_CTX_set_options(CTX, SSL_OP_NO_COMPRESSION);
+#endif
+    }
+
     verify_depth = verifydepth;
     if (askcert!=0)
@@ -511,5 +583,5 @@
 /*
 **  The function called by nnrpd to initialize the TLS support.  Calls
-**  tls_init_server_engine and checks the result.  On any sort of failure,
+**  tls_init_serverengine and checks the result.  On any sort of failure,
 **  nnrpd will exit.
 **
@@ -530,5 +602,10 @@
 				       innconf->tlscapath,
 				       innconf->tlscertfile,
-				       innconf->tlskeyfile);
+				       innconf->tlskeyfile,
+                                       innconf->tlspreferserverciphers,
+                                       innconf->tlscompression,
+                                       innconf->tlsprotocols,
+                                       innconf->tlsciphers);
+
     if (ssl_result == -1) {
         Reply("%d Error initializing TLS\r\n",
Index: a/nnrpd/tls.h
===================================================================
--- a/nnrpd/tls.h	(revision 9744)
+++ a/nnrpd/tls.h	(revision 9745)
@@ -28,4 +28,11 @@
 #include <openssl/ssl.h>
 
+/* Protocol support. */
+#define INN_TLS_SSLv2 1
+#define INN_TLS_SSLv3 2
+#define INN_TLS_TLSv1 4
+#define INN_TLS_TLSv1_1 8
+#define INN_TLS_TLSv1_2 16
+
 /* Init TLS engine. */
 int tls_init_serverengine(int verifydepth, /* Depth to verify. */
@@ -35,5 +42,9 @@
 			  char *tls_CApath,
 			  char *tls_cert_file,
-			  char *tls_key_file);
+			  char *tls_key_file,
+                          bool prefer_server_ciphers,
+                          bool tls_compression,
+                          struct vector *tls_protocols,
+                          char *tls_ciphers);
 
 /* Init TLS. */
Index: a/samples/inn.conf.in
===================================================================
--- a/samples/inn.conf.in	(revision 9744)
+++ a/samples/inn.conf.in	(revision 9745)
@@ -138,4 +138,8 @@
 #tlscertfile:                @sysconfdir@/cert.pem
 #tlskeyfile:                 @sysconfdir@/key.pem
+#tlsciphers:
+#tlscompression:             true
+#tlspreferserverciphers:     false
+#tlsprotocols:               [ SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2 ]
 
 # Monitoring
