diff --git a/common.go b/common.go
index da1eae0..ef0b385 100644
--- a/common.go
+++ b/common.go
@@ -794,6 +794,10 @@ var supportedVersions = []uint16{
 func (c *Config) supportedVersions(isClient bool) []uint16 {
 	versions := make([]uint16, 0, len(supportedVersions))
 	for _, v := range supportedVersions {
+		// TLS 1.0 is the default minimum version.
+		if (c == nil || c.MinVersion == 0) && v < VersionTLS10 {
+			continue
+		}
 		if c != nil && c.MinVersion != 0 && v < c.MinVersion {
 			continue
 		}
diff --git a/handshake_server_test.go b/handshake_server_test.go
index 22b126f..a9c1c08 100644
--- a/handshake_server_test.go
+++ b/handshake_server_test.go
@@ -77,6 +77,20 @@ func TestRejectBadProtocolVersion(t *testing.T) {
 	}, "unsupported versions")
 }
 
+func TestSSLv3OptIn(t *testing.T) {
+	config := testConfig.Clone()
+	config.MinVersion = 0
+	testClientHelloFailure(t, config, &clientHelloMsg{
+		vers:   VersionSSL30,
+		random: make([]byte, 32),
+	}, "unsupported versions")
+	testClientHelloFailure(t, config, &clientHelloMsg{
+		vers:              VersionTLS12,
+		supportedVersions: []uint16{VersionSSL30},
+		random:            make([]byte, 32),
+	}, "unsupported versions")
+}
+
 func TestNoSuiteOverlap(t *testing.T) {
 	clientHello := &clientHelloMsg{
 		vers:               VersionTLS10,