diff --git a/mutt-1.5.21-tlsv1v2.patch b/mutt-1.5.21-tlsv1v2.patch
new file mode 100644
index 0000000..6e96f4c
--- /dev/null
+++ b/mutt-1.5.21-tlsv1v2.patch
@@ -0,0 +1,146 @@
+Some servers have problem when connection uses TLS 1.0 or SSL 3.0.
+Since openssl offers TLS 1.1 and 1.2, we would like to use these
+when connecting to server, while having ability to disable these
+protocols if needed.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=957840
+
+Upstream related bug report:
+http://dev.mutt.org/trac/ticket/3571
+
+diff -up mutt-1.5.21/init.h.tlsv1v2 mutt-1.5.21/init.h
+--- mutt-1.5.21/init.h.tlsv1v2	2013-06-27 12:46:14.120389035 +0200
++++ mutt-1.5.21/init.h	2013-06-27 12:47:28.020387743 +0200
+@@ -2970,6 +2970,18 @@ struct option_t MuttVars[] = {
+   ** This variable specifies whether to attempt to use TLSv1 in the
+   ** SSL authentication process.
+   */
++  { "ssl_use_tlsv1_1", DT_BOOL, R_NONE, OPTTLSV1_1, 1 },
++  /*
++  ** .pp
++  ** This variable specifies whether to attempt to use TLSv1.1 in the
++  ** SSL authentication process.
++  */
++  { "ssl_use_tlsv1_2", DT_BOOL, R_NONE, OPTTLSV1_2, 1 },
++  /*
++  ** .pp
++  ** This variable specifies whether to attempt to use TLSv1.2 in the
++  ** SSL authentication process.
++  */
+ #ifdef USE_SSL_OPENSSL
+   { "ssl_usesystemcerts", DT_BOOL, R_NONE, OPTSSLSYSTEMCERTS, 1 },
+   /*
+diff -up mutt-1.5.21/mutt.h.tlsv1v2 mutt-1.5.21/mutt.h
+--- mutt-1.5.21/mutt.h.tlsv1v2	2010-09-13 19:19:55.000000000 +0200
++++ mutt-1.5.21/mutt.h	2013-06-27 12:47:28.020387743 +0200
+@@ -376,6 +376,8 @@ enum
+ # endif /* USE_SSL_GNUTLS */
+   OPTSSLV3,
+   OPTTLSV1,
++  OPTTLSV1_1,
++  OPTTLSV1_2,
+   OPTSSLFORCETLS,
+   OPTSSLVERIFYDATES,
+   OPTSSLVERIFYHOST,
+diff -up mutt-1.5.21/mutt_ssl.c.tlsv1v2 mutt-1.5.21/mutt_ssl.c
+--- mutt-1.5.21/mutt_ssl.c.tlsv1v2	2010-08-25 18:31:40.000000000 +0200
++++ mutt-1.5.21/mutt_ssl.c	2013-06-27 12:47:28.021387743 +0200
+@@ -106,6 +106,18 @@ int mutt_ssl_starttls (CONNECTION* conn)
+     dprint (1, (debugfile, "mutt_ssl_starttls: Error allocating SSL_CTX\n"));
+     goto bail_ssldata;
+   }
++#ifdef SSL_OP_NO_TLSv1_1
++  if (!option(OPTTLSV1_1))
++  {
++    SSL_CTX_set_options(ssldata->ctx, SSL_OP_NO_TLSv1_1);
++  }
++#endif
++#ifdef SSL_OP_NO_TLSv1_2
++  if (!option(OPTTLSV1_2))
++  {
++    SSL_CTX_set_options(ssldata->ctx, SSL_OP_NO_TLSv1_2);
++  }
++#endif
+ 
+   ssl_get_client_cert(ssldata, conn);
+ 
+@@ -303,6 +315,21 @@ static int ssl_socket_open (CONNECTION *
+   {
+     SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1);
+   }
++  /* TLSv1.1/1.2 support was added in OpenSSL 1.0.1, but some OS distros such
++   * as Fedora 17 are on OpenSSL 1.0.0.
++   */
++#ifdef SSL_OP_NO_TLSv1_1
++  if (!option(OPTTLSV1_1))
++  {
++    SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1_1);
++  }
++#endif
++#ifdef SSL_OP_NO_TLSv1_2
++  if (!option(OPTTLSV1_2))
++  {
++    SSL_CTX_set_options(data->ctx, SSL_OP_NO_TLSv1_2);
++  }
++#endif
+   if (!option(OPTSSLV2))
+   {
+     SSL_CTX_set_options(data->ctx, SSL_OP_NO_SSLv2);
+diff -up mutt-1.5.21/mutt_ssl_gnutls.c.tlsv1v2 mutt-1.5.21/mutt_ssl_gnutls.c
+--- mutt-1.5.21/mutt_ssl_gnutls.c.tlsv1v2	2013-06-27 12:46:14.123389035 +0200
++++ mutt-1.5.21/mutt_ssl_gnutls.c	2013-06-27 12:47:28.018387743 +0200
+@@ -238,7 +238,11 @@ err_crt:
+   gnutls_x509_crt_deinit (clientcrt);
+ }
+ 
+-static int protocol_priority[] = {GNUTLS_TLS1, GNUTLS_SSL3, 0};
++/* This array needs to be large enough to hold all the possible values support
++ * by Mutt.  The initialized values are just placeholders--the array gets
++ * overwrriten in tls_negotiate() depending on the $ssl_use_* options.
++ */
++static int protocol_priority[] = {GNUTLS_TLS1_2, GNUTLS_TLS1_1, GNUTLS_TLS1, GNUTLS_SSL3, 0};
+ 
+ /* tls_negotiate: After TLS state has been initialised, attempt to negotiate
+  *   TLS over the wire, including certificate checks. */
+@@ -246,6 +250,7 @@ static int tls_negotiate (CONNECTION * c
+ {
+   tlssockdata *data;
+   int err;
++  size_t nproto = 0; /* number of tls/ssl protocols */
+ 
+   data = (tlssockdata *) safe_calloc (1, sizeof (tlssockdata));
+   conn->sockdata = data;
+@@ -286,22 +291,22 @@ static int tls_negotiate (CONNECTION * c
+   /* set socket */
+   gnutls_transport_set_ptr (data->state, (gnutls_transport_ptr)conn->fd);
+ 
++  if (option(OPTTLSV1_2))
++    protocol_priority[nproto++] = GNUTLS_TLS1_2;
++  if (option(OPTTLSV1_1))
++    protocol_priority[nproto++] = GNUTLS_TLS1_1;
++  if (option(OPTTLSV1))
++    protocol_priority[nproto++] = GNUTLS_TLS1;
++  if (option(OPTSSLV3))
++    protocol_priority[nproto++] = GNUTLS_SSL3;
++  protocol_priority[nproto] = 0;
++
+   /* disable TLS/SSL protocols as needed */
+-  if (!option(OPTTLSV1) && !option(OPTSSLV3))
++  if (nproto == 0)
+   {
+     mutt_error (_("All available protocols for TLS/SSL connection disabled"));
+     goto fail;
+   }
+-  else if (!option(OPTTLSV1))
+-  {
+-    protocol_priority[0] = GNUTLS_SSL3;
+-    protocol_priority[1] = 0;
+-  }
+-  else if (!option(OPTSSLV3))
+-  {
+-    protocol_priority[0] = GNUTLS_TLS1;
+-    protocol_priority[1] = 0;
+-  }
+   /*
+   else
+     use the list set above
diff --git a/mutt.spec b/mutt.spec
index a9fc8ba..656bd92 100644
--- a/mutt.spec
+++ b/mutt.spec
@@ -16,7 +16,7 @@
 Summary: A text mode mail user agent
 Name: mutt
 Version: 1.5.21
-Release: 20%{?dist}
+Release: 21%{?dist}
 Epoch: 5
 # The entire source code is GPLv2+ except
 # pgpewrap.c setenv.c sha1.c wcwidth.c which are Public Domain
@@ -40,6 +40,7 @@ Patch14: mutt-1.5.21-writehead.patch
 Patch15: mutt-1.5.21-tmpdir.patch
 Patch16: mutt-1.5.21-verpeers.patch
 Patch17: mutt-1.5.21-manhelp.patch
+Patch18: mutt-1.5.21-tlsv1v2.patch
 Url: http://www.mutt.org/
 Requires: mailcap urlview
 BuildRequires: ncurses-devel
@@ -91,6 +92,7 @@ for selecting groups of messages.
 %patch15 -p1 -b .tmpdir
 %patch16 -p1 -b .verpeers
 %patch17 -p1 -b .manhelp
+%patch18 -p1 -b .tlsv1v2
 
 sed -i.gpgerror 's/`$GPGME_CONFIG --libs`/"\0 -lgpg-error"/' configure
 
@@ -177,6 +179,10 @@ ln -sf ./muttrc.5 $RPM_BUILD_ROOT%{_mandir}/man5/muttrc.local.5
 %{_mandir}/man5/muttrc.*
 
 %changelog
+* Thu Jun 27 2013 Honza Horak <hhorak@redhat.com> - 5:1.5.21-21
+- Backported support for TLS 1.2 and TLS 1.2 protocols
+  Resolves: #957840
+
 * Wed May 29 2013 Honza Horak <hhorak@redhat.com> - 5:1.5.21-20
 - Fix patch for #750929
   Resolves: #957542
@@ -615,10 +621,10 @@ ln -sf ./muttrc.5 $RPM_BUILD_ROOT%{_mandir}/man5/muttrc.local.5
 * Sat Jan  1 2000 Bill Nottingham <notting@redhat.com>
 - fix an odd y2k issue on receiving mail from ancient clients
 
-* Fri Oct 21 1999 Bill Nottingham <notting@redhat.com>
+* Thu Oct 21 1999 Bill Nottingham <notting@redhat.com>
 - one-point-oh.
 
-* Fri Sep 25 1999 Bill Nottingham <notting@redhat.com>
+* Sat Sep 25 1999 Bill Nottingham <notting@redhat.com>
 - add a buffer overflow patch
 
 * Tue Aug 31 1999 Bill Nottingham <notting@redhat.com>