diff --git a/openssl.spec b/openssl.spec
index 74f0d49..101409e 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -22,7 +22,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.1.1
-Release: 3%{?dist}
+Release: 4%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -373,6 +373,13 @@ basearch=sparc
 basearch=sparc64
 %endif
 
+# Next step of gradual disablement of SSL3.
+# Make SSL3 disappear to newly built dependencies.
+sed -i '/^\#ifndef OPENSSL_NO_SSL_TRACE/i\
+\#ifndef OPENSSL_NO_SSL3\
+\# define OPENSSL_NO_SSL3\
+\#endif\' $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h
+
 %ifarch %{multilib_arches}
 # Do an opensslconf.h switcheroo to avoid file conflicts on systems where you
 # can have both a 32- and 64-bit version of the library, and they each need
@@ -449,6 +456,10 @@ export LD_LIBRARY_PATH
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Thu Sep 27 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-4
+- define OPENSSL_NO_SSL3 so the newly built dependencies do not
+  have access to SSL3 API calls anymore
+
 * Mon Sep 17 2018 Tomáš Mráz <tmraz@redhat.com> 1.1.1-3
 - reinstate accidentally dropped patch for weak ciphersuites