diff --git a/changes/disable_sslv3 b/changes/disable_sslv3
new file mode 100644
index 000000000..bb4c2df7a
--- /dev/null
+++ b/changes/disable_sslv3
@@ -0,0 +1,4 @@
+  o Major security fixes:
+    - Disable support for SSLv3. All versions of OpenSSL in use with
+      Tor today support TLS 1.0 or later, so we can safely turn off
+      support for this old (and insecure) protocol. Fixes bug 13426.
diff --git a/src/common/tortls.c b/src/common/tortls.c
index c13b12fd4..4222f6dbf 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -1272,10 +1272,11 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
     goto error;
 #endif
 
-  /* Tell OpenSSL to use SSL3 or TLS1 but not SSL2. */
+  /* Tell OpenSSL to use TLS 1.0 or later but not SSL2 or SSL3. */
   if (!(result->ctx = SSL_CTX_new(SSLv23_method())))
     goto error;
   SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
+  SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv3);
 
   /* Prefer the server's ordering of ciphers: the client's ordering has
   * historically been chosen for fingerprinting resistance. */
@@ -1314,6 +1315,7 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
   }
 #endif
 
+  /* XXX This block is now obsolete. */
   if (
 #ifdef DISABLE_SSL3_HANDSHAKE
       1 ||