diff --git a/README.md b/README.md
index 67d8122..0482a3b 100644
--- a/README.md
+++ b/README.md
@@ -57,6 +57,11 @@ variables:
    Default ``
    If set to `yes` then squid configuration templating removes all `cache_dir`
    lines, setting squid to memory only cache.
+ * `TLS_OPTIONS`
+   Default `NO_SSLv3,NO_TLSv1`
+   Allow overriding the default tls_outgoing_options supplied to OpenSSL. These
+   are safe defaults, but if you're in a really broken environment might not be
+   usable.
 
 # Proxychains
 By default squid in SSL MITM mode treats `cache_peer` entries quite differently.
diff --git a/docker-squid/squid.conf.p2 b/docker-squid/squid.conf.p2
index 3e11759..7c920df 100644
--- a/docker-squid/squid.conf.p2
+++ b/docker-squid/squid.conf.p2
@@ -19,7 +19,7 @@ maximum_object_size {{MAX_OBJECT_SIZE|default:"1536 MB"}}
 cache_mem {{MEM_CACHE_SIZE|default:"128 MB"}}
 
 tls_outgoing_options capath=/etc/ssl/certs \
-    options=NO_SSLv3,NO_TLSv1 \
+    options={{TLS_OPTIONS|default:"NO_SSLv3,NO_TLSv1"}} \
     cipher=ALL:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
 
 http_port {{HTTP_PORT}} {% if MITM_PROXY|default:"" == "yes" %} ssl-bump \