diff --git a/libsoup-gnutls-allow-tls.patch b/libsoup-gnutls-allow-tls.patch
new file mode 100644
index 0000000..9dbeacf
--- /dev/null
+++ b/libsoup-gnutls-allow-tls.patch
@@ -0,0 +1,14 @@
+Index: libsoup-2.31.92/libsoup/soup-gnutls.c
+===================================================================
+--- libsoup-2.31.92.orig/libsoup/soup-gnutls.c
++++ libsoup-2.31.92/libsoup/soup-gnutls.c
+@@ -477,7 +477,8 @@ soup_ssl_wrap_iochannel (GIOChannel *soc
+ 		goto THROW_CREATE_ERROR;
+ 
+ 	/* See http://bugzilla.gnome.org/show_bug.cgi?id=581342 */
+-	if (gnutls_priority_set_direct (session, "NORMAL:!VERS-TLS1.2:!VERS-TLS1.1:!VERS-TLS1.0", NULL) != 0)
++	/* This is what nss uses by default, see https://bugzilla.novell.com/show_bug.cgi?id=634040#c7 */
++	if (gnutls_priority_set_direct (session, "NORMAL:%COMPAT:!VERS-TLS1.1", NULL) != 0)
+ 		goto THROW_CREATE_ERROR;
+ 
+ 	if (gnutls_credentials_set (session, GNUTLS_CRD_CERTIFICATE,
diff --git a/libsoup.changes b/libsoup.changes
index 643fa9f..5290100 100644
--- a/libsoup.changes
+++ b/libsoup.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Mon Sep 20 11:29:41 CEST 2010 - vuntz@opensuse.org
+
+- Add libsoup-gnutls-allow-tls.patch: let gnutls try to use TLS,
+  instead of being SSL 3.0-only. This might lead to some websites
+  not being accessible with libsoup, and upstream does not want
+  this behavior; a proper fix needs a lot of work. See discussion
+  in bnc#634040.
+
 -------------------------------------------------------------------
 Mon Sep 13 22:43:23 CEST 2010 - dimstar@opensuse.org
 
diff --git a/libsoup.spec b/libsoup.spec
index 951735d..1efb218 100644
--- a/libsoup.spec
+++ b/libsoup.spec
@@ -19,6 +19,16 @@
 
 
 Name:           libsoup
+Summary:        HTTP client/server library for GNOME
+Version:        2.31.92
+Release:        1
+License:        LGPLv2.1+
+Group:          Development/Libraries/GNOME
+Url:            http://www.gnome.org
+Source:         ftp://ftp.gnome.org/pub/GNOME/stable/sources/libsoup/2.2/%{name}-%{version}.tar.bz2
+Source99:       baselibs.conf
+# PATCH-FIX-OPENSUSE libsoup-gnutls-allow-tls.patch bnc#634040 vuntz@opensuse.org -- Allow TLS usage instead of being SSL 3.0-only. Upstream does not want this, and rewriting a lot of code is needed to fix this correctly. However, the openSUSE security team wants TLS to be used if possible. This might lead to some websites being not accessible with libsoup.
+Patch0:         libsoup-gnutls-allow-tls.patch
 BuildRequires:  gconf2-devel
 BuildRequires:  glib2-devel
 BuildRequires:  gnutls-devel
@@ -30,21 +40,13 @@ BuildRequires:  libxml2-devel
 BuildRequires:  sqlite3-devel
 # We do not need these dependencies needed only for tests.
 #BuildRequires:  apache2-mod_php5 php5-xmlrpc
-License:        LGPLv2.1+
-Group:          Development/Libraries/GNOME
+Requires:       %{name}-2_4-1 = %{version}
 # bug437293
 %ifarch ppc64
 Obsoletes:      libsoup-64bit
 %endif
 #
-Summary:        HTTP client/server library for GNOME
-Version:        2.31.92
-Release:        1
-Source:         ftp://ftp.gnome.org/pub/GNOME/stable/sources/libsoup/2.2/%{name}-%{version}.tar.bz2
-Source99:       baselibs.conf
-Url:            http://www.gnome.org
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
-Requires:       %{name}-2_4-1 = %{version}
 
 %description
 Libsoup is an HTTP client/server library for GNOME. It uses GObjects
@@ -112,6 +114,7 @@ Features:
 
 %prep
 %setup -q
+%patch0 -p1
 
 %build
 %configure\