diff --git a/SOURCES/vsftpd-3.0.3-option_to_disable_TLSv1_3.patch b/SOURCES/vsftpd-3.0.3-option_to_disable_TLSv1_3.patch
new file mode 100644
index 0000000..354cb83
--- /dev/null
+++ b/SOURCES/vsftpd-3.0.3-option_to_disable_TLSv1_3.patch
@@ -0,0 +1,132 @@
+diff --git a/features.c b/features.c
+index d024366..3a60b88 100644
+--- a/features.c
++++ b/features.c
+@@ -22,7 +22,7 @@ handle_feat(struct vsf_session* p_sess)
+     {
+       vsf_cmdio_write_raw(p_sess, " AUTH SSL\r\n");
+     }
+-    if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2)
++    if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2 || tunable_tlsv1_3)
+     {
+       vsf_cmdio_write_raw(p_sess, " AUTH TLS\r\n");
+     }
+diff --git a/parseconf.c b/parseconf.c
+index 3729818..2c5ffe6 100644
+--- a/parseconf.c
++++ b/parseconf.c
+@@ -87,6 +87,7 @@ parseconf_bool_array[] =
+   { "ssl_tlsv1", &tunable_tlsv1 },
+   { "ssl_tlsv1_1", &tunable_tlsv1_1 },
+   { "ssl_tlsv1_2", &tunable_tlsv1_2 },
++  { "ssl_tlsv1_3", &tunable_tlsv1_3 },
+   { "tilde_user_enable", &tunable_tilde_user_enable },
+   { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl },
+   { "force_anon_data_ssl", &tunable_force_anon_data_ssl },
+diff --git a/ssl.c b/ssl.c
+index 09ec96a..5d9c595 100644
+--- a/ssl.c
++++ b/ssl.c
+@@ -178,6 +178,10 @@ ssl_init(struct vsf_session* p_sess)
+     {
+       options |= SSL_OP_NO_TLSv1_2;
+     }
++    if (!tunable_tlsv1_3)
++    {
++      options |= SSL_OP_NO_TLSv1_3;
++    }
+     SSL_CTX_set_options(p_ctx, options);
+     if (tunable_rsa_cert_file)
+     {
+diff --git a/tunables.c b/tunables.c
+index c96c1ac..e6fbb9d 100644
+--- a/tunables.c
++++ b/tunables.c
+@@ -68,6 +68,7 @@ int tunable_sslv3;
+ int tunable_tlsv1;
+ int tunable_tlsv1_1;
+ int tunable_tlsv1_2;
++int tunable_tlsv1_3;
+ int tunable_tilde_user_enable;
+ int tunable_force_anon_logins_ssl;
+ int tunable_force_anon_data_ssl;
+@@ -217,8 +218,9 @@ tunables_load_defaults()
+   tunable_sslv3 = 0;
+   tunable_tlsv1 = 0;
+   tunable_tlsv1_1 = 0;
+-  /* Only TLSv1.2 is enabled by default */
++  /* Only TLSv1.2 and TLSv1.3 are enabled by default */
+   tunable_tlsv1_2 = 1;
++  tunable_tlsv1_3 = 1;
+   tunable_tilde_user_enable = 0;
+   tunable_force_anon_logins_ssl = 0;
+   tunable_force_anon_data_ssl = 0;
+diff --git a/tunables.h b/tunables.h
+index 8d50150..6e1d301 100644
+--- a/tunables.h
++++ b/tunables.h
+@@ -69,6 +69,7 @@ extern int tunable_sslv3;                     /* Allow SSLv3 */
+ extern int tunable_tlsv1;                     /* Allow TLSv1 */
+ extern int tunable_tlsv1_1;                   /* Allow TLSv1.1 */
+ extern int tunable_tlsv1_2;                   /* Allow TLSv1.2 */
++extern int tunable_tlsv1_3;                   /* Allow TLSv1.3 */
+ extern int tunable_tilde_user_enable;         /* Support e.g. ~chris */
+ extern int tunable_force_anon_logins_ssl;     /* Require anon logins use SSL */
+ extern int tunable_force_anon_data_ssl;       /* Require anon data uses SSL */
+diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
+index 815773f..c37a536 100644
+--- a/vsftpd.conf.5
++++ b/vsftpd.conf.5
+@@ -555,7 +555,7 @@ Default: YES
+ Only applies if
+ .BR ssl_enable
+ is activated. If enabled, this option will permit SSL v2 protocol connections.
+-TLS v1.2 connections are preferred.
++TLS v1.2 and TLS v1.3 connections are preferred.
+ 
+ Default: NO
+ .TP
+@@ -563,7 +563,7 @@ Default: NO
+ Only applies if
+ .BR ssl_enable
+ is activated. If enabled, this option will permit SSL v3 protocol connections.
+-TLS v1.2 connections are preferred.
++TLS v1.2 and TLS v1.3 connections are preferred.
+ 
+ Default: NO
+ .TP
+@@ -571,7 +571,7 @@ Default: NO
+ Only applies if
+ .BR ssl_enable
+ is activated. If enabled, this option will permit TLS v1 protocol connections.
+-TLS v1.2 connections are preferred.
++TLS v1.2 and TLS v1.3 connections are preferred.
+ 
+ Default: NO
+ .TP
+@@ -579,7 +579,7 @@ Default: NO
+ Only applies if
+ .BR ssl_enable
+ is activated. If enabled, this option will permit TLS v1.1 protocol connections.
+-TLS v1.2 connections are preferred.
++TLS v1.2 and TLS v1.3 connections are preferred.
+ 
+ Default: NO
+ .TP
+@@ -587,7 +587,15 @@ Default: NO
+ Only applies if
+ .BR ssl_enable
+ is activated. If enabled, this option will permit TLS v1.2 protocol connections.
+-TLS v1.2 connections are preferred.
++TLS v1.2 and TLS v1.3 connections are preferred.
++
++Default: YES
++.TP
++.B ssl_tlsv1_3
++Only applies if
++.BR ssl_enable
++is activated. If enabled, this option will permit TLS v1.3 protocol connections.
++TLS v1.2 and TLS v1.3 connections are preferred.
+ 
+ Default: YES
+ .TP
diff --git a/SPECS/vsftpd.spec b/SPECS/vsftpd.spec
index a235e73..523454b 100644
--- a/SPECS/vsftpd.spec
+++ b/SPECS/vsftpd.spec
@@ -2,7 +2,7 @@
 
 Name:    vsftpd
 Version: 3.0.3
-Release: 34%{?dist}
+Release: 35%{?dist}
 Summary: Very Secure Ftp Daemon
 
 Group:    System Environment/Daemons
@@ -96,6 +96,7 @@ Patch64: 0003-Repeat-pututxline-until-it-succeeds-if-it-fails-with.patch
 Patch65: 0001-Fix-timestamp-handling-in-MDTM.patch
 Patch66: 0001-Remove-a-hint-about-the-ftp_home_dir-SELinux-boolean.patch
 Patch67: vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch
+Patch68: vsftpd-3.0.3-option_to_disable_TLSv1_3.patch
 
 %description
 vsftpd is a Very Secure FTP daemon. It was written completely from
@@ -164,7 +165,11 @@ mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub
 %{_var}/ftp
 
 %changelog
-* Mon Apr 12 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-33
+* Fri Dec 03 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-35
+- add option to disable TLSv1.3
+- Resolves: rhbz#1638375
+
+* Mon Apr 12 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-34
 - Enable support for wide-character strings in logs
 - Replace unprintables with HEX code, not question marks
 - Resolves: rhbz#1947900