diff --git a/CHANGELOG b/CHANGELOG
index f5577b826..9a5a5f15b 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,10 @@
 #Nmap Changelog ($Id$); -*-text-*-
 
+o [NSE] tls.lua when creating a client_hello message will now only use a SSLv3
+  record layer if the protocol version is SSLv3. Some TLS implementations will
+  not handshake with a client offering less than TLSv1.0. Scripts will have to
+  manually fall back to SSLv3 to talk to SSLv3-only servers. [Daniel Miller]
+
 o [NSE][GH#1322] Fix a few false-positive conditions in ssl-ccs-injection. TLS
   implementations that responded with fatal alerts other than "unexpected
   message" had been falsely marked as vulnerable. [Daniel Miller]
diff --git a/nselib/tls.lua b/nselib/tls.lua
index c4e73c4d6..1f4b0a7e5 100644
--- a/nselib/tls.lua
+++ b/nselib/tls.lua
@@ -1539,7 +1539,15 @@ function client_hello(t)
   table.insert(h, pack(">s3", b))
 
   -- Record layer version should be SSLv3 (lowest compatible record version)
-  return record_write("handshake", t.record_protocol or "SSLv3", table.concat(h))
+  -- But some implementations (OpenSSL) will not finish a handshake that could
+  -- be downgraded by a MITM to SSLv3. So we use TLSv1.0 unless the caller
+  -- explicitly tries to set SSLv3.0 somewhere (t.record_protocol or
+  -- t.protocol)
+  local record_proto = t.record_protocol
+  if not record_proto then
+    record_proto = (t.protocol == "SSLv3") and "SSLv3" or "TLSv1.0"
+  end
+  return record_write("handshake", record_proto, table.concat(h))
 end
 
 local function read_atleast(s, n)