diff --git a/.gitignore b/.gitignore
index cffc6b3b..0def3fe9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,4 +5,5 @@
 /pkg/
 /spec/reports/
 /tmp/
+/.tool-versions
 /Gemfile.lock
diff --git a/lib/net/http.rb b/lib/net/http.rb
index 83cf46cb..8b7ee50e 100644
--- a/lib/net/http.rb
+++ b/lib/net/http.rb
@@ -952,6 +952,14 @@ def HTTP.https_default_port
       443
     end
 
+    def HTTP.default_ssl_options
+      defined?(@@default_ssl_options) ? @@default_ssl_options : nil
+    end
+
+    def HTTP.default_ssl_options=(opt)
+      @@default_ssl_options = opt
+    end
+
     def HTTP.socket_type   #:nodoc: obsolete
       BufferedIO
     end
@@ -1032,6 +1040,7 @@ def HTTP.socket_type   #:nodoc: obsolete
     # - #open_timeout
     # - #read_timeout
     # - #ssl_timeout
+    # - #ssl_options
     # - #ssl_version
     # - +use_ssl+ (calls #use_ssl=)
     # - #verify_callback
@@ -1190,6 +1199,7 @@ def initialize(address, port = nil) # :nodoc:
 
       @use_ssl = false
       @ssl_context = nil
+      @ssl_options = HTTP.default_ssl_options
       @ssl_session = nil
       @sspi_enabled = false
       SSL_IVNAMES.each do |ivname|
@@ -1520,6 +1530,7 @@ def use_ssl=(flag)
       :extra_chain_cert,
       :key,
       :ssl_timeout,
+      :options,
       :ssl_version,
       :min_version,
       :max_version,
@@ -1559,6 +1570,9 @@ def use_ssl=(flag)
     # Sets or returns the SSL timeout seconds.
     attr_accessor :ssl_timeout
 
+    # Sets the SSL options. See OpenSSL::SSL::SSLContext#ssl_options=
+    attr_accessor :ssl_options
+
     # Sets or returns the SSL version.
     # See {OpenSSL::SSL::SSLContext#ssl_version=}[OpenSSL::SSL::SSL::Context#ssl_version=].
     attr_accessor :ssl_version
diff --git a/test/net/http/test_https.rb b/test/net/http/test_https.rb
index e860c874..cbf655d0 100644
--- a/test/net/http/test_https.rb
+++ b/test/net/http/test_https.rb
@@ -286,6 +286,16 @@ def test_max_version
     assert_match(re_msg, ex.message)
   end
 
+  def test_ssl_options
+    http = Net::HTTP.new(HOST, config("port"))
+    http.use_ssl = true
+    http.ssl_options = OpenSSL::SSL::OP_LEGACY_SERVER_CONNECT
+    http.cert_store = TEST_STORE
+    http.request_get("/") {|res|
+      assert_equal($test_net_http_data, res.body)
+    }
+  end
+
 end if defined?(OpenSSL::SSL)
 
 class TestNetHTTPSIdentityVerifyFailure < Test::Unit::TestCase