diff --git a/ChangeLog b/ChangeLog
index fd83b9e60..255d35905 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,9 @@
 PolarSSL ChangeLog (Sorted per branch, date)
 
+= PolarSSL 1.3.10 released ???
+Changes
+   * Example programs for SSL client and server now disable SSLv3 by default.
+
 = PolarSSL 1.3.9 released 2014-10-20
 Security
    * Lowest common hash was selected from signature_algorithms extension in
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 194e94471..4cabf7c9e 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -1372,8 +1372,10 @@ void ssl_set_max_version( ssl_context *ssl, int major, int minor );
  * \brief          Set the minimum accepted SSL/TLS protocol version
  *                 (Default: SSL_MIN_MAJOR_VERSION, SSL_MIN_MINOR_VERSION)
  *
- *                 Note: Input outside of the SSL_MAX_XXXXX_VERSION and
- *                       SSL_MIN_XXXXX_VERSION range is ignored.
+ * \note           Input outside of the SSL_MAX_XXXXX_VERSION and
+ *                 SSL_MIN_XXXXX_VERSION range is ignored.
+ *
+ * \note           SSL_MINOR_VERSION_0 (SSL v3) should be avoided.
  *
  * \param ssl      SSL context
  * \param major    Major version number (only SSL_MAJOR_VERSION_3 supported)
diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c
index 1b369a658..8f85b1016 100644
--- a/programs/ssl/ssl_client1.c
+++ b/programs/ssl/ssl_client1.c
@@ -168,6 +168,9 @@ int main( int argc, char *argv[] )
     ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL );
     ssl_set_ca_chain( &ssl, &cacert, NULL, "PolarSSL Server 1" );
 
+    /* SSLv3 is deprecated, set minimum to TLS 1.0 */
+    ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 );
+
     ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
     ssl_set_dbg( &ssl, my_debug, stdout );
     ssl_set_bio( &ssl, net_recv, &server_fd,
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 5b7a488c9..505ce10c2 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -86,7 +86,7 @@ int main( int argc, char *argv[] )
 #define DFL_ALLOW_LEGACY        SSL_LEGACY_NO_RENEGOTIATION
 #define DFL_RENEGOTIATE         0
 #define DFL_EXCHANGES           1
-#define DFL_MIN_VERSION         -1
+#define DFL_MIN_VERSION         SSL_MINOR_VERSION_1
 #define DFL_MAX_VERSION         -1
 #define DFL_AUTH_MODE           SSL_VERIFY_REQUIRED
 #define DFL_MFL_CODE            SSL_MAX_FRAG_LEN_NONE
diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c
index 706cdd492..ae1e155b9 100644
--- a/programs/ssl/ssl_fork_server.c
+++ b/programs/ssl/ssl_fork_server.c
@@ -264,6 +264,10 @@ int main( int argc, char *argv[] )
         ssl_set_endpoint( &ssl, SSL_IS_SERVER );
         ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
 
+        /* SSLv3 is deprecated, set minimum to TLS 1.0 */
+        ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3,
+                                   SSL_MINOR_VERSION_1 );
+
         ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
         ssl_set_dbg( &ssl, my_debug, stdout );
         ssl_set_bio( &ssl, net_recv, &client_fd,
diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c
index 4cf59d03a..74f9d7bd2 100644
--- a/programs/ssl/ssl_mail_client.c
+++ b/programs/ssl/ssl_mail_client.c
@@ -601,6 +601,9 @@ int main( int argc, char *argv[] )
      * but makes interop easier in this simplified example */
     ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL );
 
+    /* SSLv3 is deprecated, set minimum to TLS 1.0 */
+    ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 );
+
     ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
     ssl_set_dbg( &ssl, my_debug, stdout );
     ssl_set_bio( &ssl, net_recv, &server_fd,
diff --git a/programs/ssl/ssl_pthread_server.c b/programs/ssl/ssl_pthread_server.c
index 9a4c554e9..aed2513b6 100644
--- a/programs/ssl/ssl_pthread_server.c
+++ b/programs/ssl/ssl_pthread_server.c
@@ -165,6 +165,9 @@ static void *handle_ssl_connection( void *data )
     ssl_set_endpoint( &ssl, SSL_IS_SERVER );
     ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
 
+    /* SSLv3 is deprecated, set minimum to TLS 1.0 */
+    ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 );
+
     ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
     ssl_set_dbg( &ssl, my_mutexed_debug, stdout );
 
diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c
index 9e097998f..eb44e07df 100644
--- a/programs/ssl/ssl_server.c
+++ b/programs/ssl/ssl_server.c
@@ -198,6 +198,9 @@ int main( int argc, char *argv[] )
     ssl_set_endpoint( &ssl, SSL_IS_SERVER );
     ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
 
+    /* SSLv3 is deprecated, set minimum to TLS 1.0 */
+    ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 );
+
     ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
     ssl_set_dbg( &ssl, my_debug, stdout );
 
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 721dab42e..3fecb4741 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -105,7 +105,7 @@ int main( int argc, char *argv[] )
 #define DFL_RENEGOTIATE         0
 #define DFL_RENEGO_DELAY        -2
 #define DFL_EXCHANGES           1
-#define DFL_MIN_VERSION         -1
+#define DFL_MIN_VERSION         SSL_MINOR_VERSION_1
 #define DFL_MAX_VERSION         -1
 #define DFL_AUTH_MODE           SSL_VERIFY_OPTIONAL
 #define DFL_MFL_CODE            SSL_MAX_FRAG_LEN_NONE
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index f94808d2c..361d393fa 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -941,7 +941,7 @@ run_test    "Authentication: client no cert, openssl server optional" \
 
 run_test    "Authentication: client no cert, ssl3" \
             "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
-            "$P_CLI debug_level=3 crt_file=none key_file=none" \
+            "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
             0 \
             -S "skip write certificate request" \
             -C "skip parse certificate request" \
@@ -1569,7 +1569,7 @@ run_test    "PSK callback: wrong key" \
 # Tests for ciphersuites per version
 
 run_test    "Per-version suites: SSL3" \
-            "$P_SRV version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-RC4-128-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
+            "$P_SRV min_version=ssl3 version_suites=TLS-RSA-WITH-3DES-EDE-CBC-SHA,TLS-RSA-WITH-RC4-128-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \
             "$P_CLI force_version=ssl3" \
             0 \
             -c "Ciphersuite is TLS-RSA-WITH-3DES-EDE-CBC-SHA"
@@ -1609,14 +1609,14 @@ run_test    "ssl_get_bytes_avail: extra data" \
 # Tests for small packets
 
 run_test    "Small packet SSLv3 BlockCipher" \
-            "$P_SRV" \
+            "$P_SRV min_version=ssl3" \
             "$P_CLI request_size=1 force_version=ssl3 \
              force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
             0 \
             -s "Read from client: 1 bytes read"
 
 run_test    "Small packet SSLv3 StreamCipher" \
-            "$P_SRV" \
+            "$P_SRV min_version=ssl3" \
             "$P_CLI request_size=1 force_version=ssl3 \
              force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
             0 \
@@ -1728,14 +1728,14 @@ run_test    "Small packet TLS 1.2 AEAD shorter tag" \
 # Test for large packets
 
 run_test    "Large packet SSLv3 BlockCipher" \
-            "$P_SRV" \
+            "$P_SRV min_version=ssl3" \
             "$P_CLI request_size=16384 force_version=ssl3 \
              force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \
             0 \
             -s "Read from client: 16384 bytes read"
 
 run_test    "Large packet SSLv3 StreamCipher" \
-            "$P_SRV" \
+            "$P_SRV min_version=ssl3" \
             "$P_CLI request_size=16384 force_version=ssl3 \
              force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
             0 \