diff --git a/ncat/ncat_main.c b/ncat/ncat_main.c
index 77e2eba87..a2b86e6ee 100644
--- a/ncat/ncat_main.c
+++ b/ncat/ncat_main.c
@@ -306,12 +306,17 @@ int main(int argc, char *argv[])
         {"proxy-auth",      required_argument,  NULL,         0},
         {"nsock-engine",    required_argument,  NULL,         0},
         {"test",            no_argument,        NULL,         0},
-#ifdef HAVE_OPENSSL
         {"ssl",             no_argument,        &o.ssl,       1},
+#ifdef HAVE_OPENSSL
         {"ssl-cert",        required_argument,  NULL,         0},
         {"ssl-key",         required_argument,  NULL,         0},
         {"ssl-verify",      no_argument,        NULL,         0},
         {"ssl-trustfile",   required_argument,  NULL,         0},
+#else
+        {"ssl-cert",        optional_argument,  NULL,         0},
+        {"ssl-key",         optional_argument,  NULL,         0},
+        {"ssl-verify",      no_argument,        NULL,         0},
+        {"ssl-trustfile",   optional_argument,  NULL,         0},
 #endif
         {0, 0, 0, 0}
     };
@@ -514,6 +519,16 @@ int main(int argc, char *argv[])
                    verification. */
                 o.sslverify = 1;
             }
+#else
+            else if (strcmp(long_options[option_index].name, "ssl-cert") == 0) {
+                bye("OpenSSL isn't compiled in. The --ssl-cert option cannot be chosen.");
+            } else if (strcmp(long_options[option_index].name, "ssl-key") == 0) {
+                bye("OpenSSL isn't compiled in. The --ssl-key option cannot be chosen.");
+            } else if (strcmp(long_options[option_index].name, "ssl-verify") == 0) {
+                bye("OpenSSL isn't compiled in. The --ssl-verify option cannot be chosen.");
+            } else if (strcmp(long_options[option_index].name, "ssl-trustfile") == 0) {
+                bye("OpenSSL isn't compiled in. The --ssl-trustfile option cannot be chosen.");
+            }
 #endif
 #ifdef HAVE_LUA
             else if (strcmp(long_options[option_index].name, "lua-exec") == 0) {
@@ -615,6 +630,11 @@ int main(int argc, char *argv[])
         }
     }
 
+#ifndef HAVE_OPENSSL
+    if (o.ssl)
+        bye("OpenSSL isn't compiled in. The --ssl option cannot be chosen.");
+#endif
+
     if (o.normlog)
         o.normlogfd = ncat_openlog(o.normlog, o.append);
     if (o.hexlog)
diff --git a/todo/nmap.txt b/todo/nmap.txt
index 27ec9b228..3c1e6b0c7 100644
--- a/todo/nmap.txt
+++ b/todo/nmap.txt
@@ -148,10 +148,6 @@ o Some things that GSoC 2014 student Sriharsha is or is likely to soon
   be working on:
   o Setting up his dev environment, getting Nmap compiling on Linux +
     Win.
-  o When Ncat is compiled without OpenSSL, we should still accept the
-    --ssl argument and just give an error message noting that SSL was not
-    compiled in.  This reduces confusion for users
-    (e.g. http://seclists.org/nmap-dev/2013/q3/579)
   o Implement some improvements to dns-ip6-arpa.nse, as describe at
     http://seclists.org/nmap-dev/2012/q2/45.
     - Also consider a move to "fire and forget" logic.  Just blast out
@@ -841,6 +837,11 @@ o random tip database
 
 DONE:
 
+o When Ncat is compiled without OpenSSL, we should still accept the
+  --ssl argument and just give an error message noting that SSL was not
+  compiled in.  This reduces confusion for users
+  (e.g. http://seclists.org/nmap-dev/2013/q3/579)
+
 o We should update our OpenSSL Windows binaries from version 1.0.1c to
   something newer, like 1.01f