diff --git a/0001-use-TLSv1.-https-bugzilla.redhat.com-show_bug.cgi-id.patch b/0001-use-TLSv1.-https-bugzilla.redhat.com-show_bug.cgi-id.patch
new file mode 100644
index 0000000..6f2959e
--- /dev/null
+++ b/0001-use-TLSv1.-https-bugzilla.redhat.com-show_bug.cgi-id.patch
@@ -0,0 +1,35 @@
+From 07d1eb810930fa1de7c89bad817ccca68b9ec7bc Mon Sep 17 00:00:00 2001
+From: Mike McLean <mikem@redhat.com>
+Date: Wed, 15 Oct 2014 10:54:31 -0400
+Subject: [PATCH] use TLSv1.
+ https://bugzilla.redhat.com/show_bug.cgi?id=1152823
+
+---
+ koji/ssl/SSLCommon.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/koji/ssl/SSLCommon.py b/koji/ssl/SSLCommon.py
+index 1a3b3d6..014fbf6 100644
+--- a/koji/ssl/SSLCommon.py
++++ b/koji/ssl/SSLCommon.py
+@@ -37,7 +37,7 @@ def CreateSSLContext(certs):
+         if f and not os.access(f, os.R_OK):
+             raise StandardError, "%s does not exist or is not readable" % f
+ 
+-    ctx = SSL.Context(SSL.SSLv3_METHOD)   # SSLv3 only
++    ctx = SSL.Context(SSL.TLSv1_METHOD)   # TLS v1 only
+     ctx.use_certificate_file(key_and_cert)
+     ctx.use_privatekey_file(key_and_cert)
+     ctx.load_client_ca(ca_cert)
+@@ -45,7 +45,7 @@ def CreateSSLContext(certs):
+     verify = SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT
+     ctx.set_verify(verify, our_verify)
+     ctx.set_verify_depth(10)
+-    ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_TLSv1)
++    ctx.set_options(SSL.OP_NO_SSLv3 | SSL.OP_NO_SSLv2 | SSL.OP_NO_TLSv1)
+     return ctx
+ 
+ 
+-- 
+2.2.0
+
diff --git a/koji.spec b/koji.spec
index b7f851a..7ef3e63 100644
--- a/koji.spec
+++ b/koji.spec
@@ -2,7 +2,7 @@
 
 Name: koji
 Version: 1.9.0
-Release: 8%{?dist}
+Release: 9%{?dist}
 License: LGPLv2 and GPLv2+
 # koji.ssl libs (from plague) are GPLv2+
 Summary: Build system tools
@@ -22,6 +22,7 @@ Patch10: 0001-refactor-image-build-handlers-in-kojid.patch
 Patch11: 0002-refactor-do_images.patch
 Patch12: 0003-add-raw-xz-option.patch
 Patch13: 0001-correctly-call-pykickstarts-makeVersion.patch
+Patch14: 0001-use-TLSv1.-https-bugzilla.redhat.com-show_bug.cgi-id.patch
 
 Source: https://fedorahosted.org/released/koji/koji-%{version}.tar.bz2
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -148,6 +149,7 @@ koji-web is a web UI to the Koji system.
 %patch11 -p1
 %patch12 -p1
 %patch13 -p1
+%patch14 -p1
 
 %build
 
@@ -251,6 +253,9 @@ if [ $1 = 0 ]; then
 fi
 
 %changelog
+* Thu Dec 11 2014 Dennis Gilmore <dennis@ausil.us> - 1.9.0-9
+- add upstream patch switching to TLS1 from sslv3
+
 * Tue Sep 30 2014 Dennis Gilmore <dennis@ausil.us> - 1.9.0-8
 - don't exclude koji-vm from ppc and ppc64