diff --git a/xrdp-0.9.1-xrdp-ini.patch b/xrdp-0.9.1-xrdp-ini.patch
index a282360..de82256 100644
--- a/xrdp-0.9.1-xrdp-ini.patch
+++ b/xrdp-0.9.1-xrdp-ini.patch
@@ -1,6 +1,23 @@
 diff -urN xrdp-0.9.1/xrdp/xrdp.ini xrdp-0.9.1.xrdp-ini/xrdp/xrdp.ini
 --- xrdp-0.9.1/xrdp/xrdp.ini	2016-12-22 09:02:47.000000000 -0800
-+++ xrdp-0.9.1.xrdp-ini/xrdp/xrdp.ini	2017-03-09 15:47:04.828968234 -0800
++++ xrdp-0.9.1.xrdp-ini/xrdp/xrdp.ini	2017-03-10 14:22:32.547073051 -0800
+@@ -23,12 +23,12 @@
+ crypt_level=high
+ ; X.509 certificate and private key
+ ; openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 365
+-certificate=
+-key_file=
++certificate=/etc/xrdp/cert.pem
++key_file=/etc/xrdp/key.pem
+ ; specify whether SSLv3 should be disabled
+-#disableSSLv3=true
++disableSSLv3=true
+ ; set TLS cipher suites
+-#tls_ciphers=HIGH
++tls_ciphers=PROFILE=SYSTEM
+ 
+ ; Section name to use for automatic login if the client sends username
+ ; and password. If empty, the domain name sent by the client is used.
 @@ -147,16 +147,6 @@
  ; Session types
  ;
diff --git a/xrdp.spec b/xrdp.spec
index 4cc294d..83825f0 100644
--- a/xrdp.spec
+++ b/xrdp.spec
@@ -189,6 +189,7 @@ systemctl try-restart xrdp.service >/dev/null 2>&1 || :
 - Require /etc/X11/xinit/Xsession, it's called from startwm.sh
 - Call xrdp-keygen with full path in %posttrans
 - Exclude *.so files for non-modules
+- Set tls_ciphers to PROFILE=SYSTEM, disable SSLv3
 
 * Thu Mar 09 2017 Pavel Roskin <plroskin@gmail.com> - 1:0.9.1-6
 - Make xrdp depend on xorgxrdp, not on tigervnc-server-minimal