diff --git a/manifests/stunnel/service_proxy.pp b/manifests/stunnel/service_proxy.pp
index 2c9519a83..591210056 100644
--- a/manifests/stunnel/service_proxy.pp
+++ b/manifests/stunnel/service_proxy.pp
@@ -42,6 +42,10 @@
 #   Host where the tunnel will be proxying to.
 #   Defaults to 'localhost'
 #
+# [*ssl_version*]
+#   (Optional) select the TLS protocol version
+#   Defaults to 'TLSv1.2'
+#
 define tripleo::stunnel::service_proxy (
   $accept_host,
   $accept_port,
@@ -50,6 +54,7 @@ define tripleo::stunnel::service_proxy (
   $key,
   $client = 'no',
   $connect_host = 'localhost',
+  $ssl_version = 'TLSv1.2'
 ) {
   concat::fragment { "stunnel-service-${name}":
     target  => '/etc/stunnel/stunnel.conf',
diff --git a/templates/stunnel/service.erb b/templates/stunnel/service.erb
index b707444a3..63f298c50 100644
--- a/templates/stunnel/service.erb
+++ b/templates/stunnel/service.erb
@@ -4,3 +4,4 @@ accept=<%= @accept_host %>:<%= @accept_port %>
 connect=<%= @connect_host %>:<%= @connect_port %>
 cert=<%= @certificate %>
 key=<%= @key %>
+sslVersion = <%= @ssl_version %>