diff --git a/0002-curl-7.21.4-7aa2d10.patch b/0002-curl-7.21.4-7aa2d10.patch
new file mode 100644
index 0000000..1a7ec7c
--- /dev/null
+++ b/0002-curl-7.21.4-7aa2d10.patch
@@ -0,0 +1,44 @@
+From 1f009bb739514d08efef093adf5e1813db6333ec Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Tue, 22 Feb 2011 13:13:53 +0100
+Subject: [PATCH] nss: do not ignore failure of SSL handshake
+
+Flaw introduced in fc77790 and present in curl-7.21.4.
+Bug: https://bugzilla.redhat.com/669702#c16
+---
+ lib/nss.c |   12 ++++++++----
+ 1 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/lib/nss.c b/lib/nss.c
+index d26ad5b..be26253 100644
+--- a/lib/nss.c
++++ b/lib/nss.c
+@@ -1157,7 +1157,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
+   struct SessionHandle *data = conn->data;
+   curl_socket_t sockfd = conn->sock[sockindex];
+   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+-  int curlerr;
++  CURLcode curlerr;
+   const int *cipher_to_enable;
+   PRSocketOptionData sock_opt;
+   long time_left;
+@@ -1289,9 +1289,13 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
+                            NULL) != SECSuccess)
+     goto error;
+ 
+-  if(data->set.ssl.verifypeer && (CURLE_OK !=
+-        (curlerr = nss_load_ca_certificates(conn, sockindex))))
+-    goto error;
++  if(data->set.ssl.verifypeer) {
++    const CURLcode rv = nss_load_ca_certificates(conn, sockindex);
++    if(CURLE_OK != rv) {
++      curlerr = rv;
++      goto error;
++    }
++  }
+ 
+   if (data->set.ssl.CRLfile) {
+     if(SECSuccess != nss_load_crl(data->set.ssl.CRLfile)) {
+-- 
+1.7.4
+
diff --git a/curl.spec b/curl.spec
index 9feb3c4..7f53fa3 100644
--- a/curl.spec
+++ b/curl.spec
@@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.21.4
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: MIT
 Group: Applications/Internet
 Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
@@ -11,6 +11,9 @@ Source3: hide_selinux.c
 # avoid memory leak on SSL connection failure
 Patch1: 0001-curl-7.21.4-a40f58d.patch
 
+# do not ignore failure of SSL handshake
+Patch2: 0002-curl-7.21.4-7aa2d10.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.21.1-multilib.patch
 
@@ -111,6 +114,7 @@ done
 
 # upstream patches (already applied)
 %patch1 -p1
+%patch2 -p1
 
 # Fedora patches
 %patch101 -p1
@@ -224,6 +228,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_datadir}/aclocal/libcurl.m4
 
 %changelog
+* Tue Feb 22 2011 Kamil Dudka <kdudka@redhat.com> 7.21.4-2
+- do not ignore failure of SSL handshake (upstream commit 7aa2d10)
+
 * Fri Feb 18 2011 Kamil Dudka <kdudka@redhat.com> 7.21.4-1
 - new upstream release
 - avoid memory leak on SSL connection failure (upstream commit a40f58d)