diff --git a/apps/s_client.c b/apps/s_client.c
index 34ad2ce..958a3f8 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -344,6 +344,7 @@ static void sc_usage(void)
 	BIO_printf(bio_err," -no_ticket        - disable use of RFC4507bis session tickets\n");
 #endif
 	BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
+    BIO_printf(bio_err," -not_send_ri          - do not sent renegotiation_info extension\n");
 	}
 
 #ifndef OPENSSL_NO_TLSEXT
@@ -661,6 +662,8 @@ int MAIN(int argc, char **argv)
 			off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
 		else if (strcmp(*argv,"-legacy_renegotiation") == 0)
 			off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+        else if	(strcmp(*argv,"-not_send_ri") == 0)
+			 off|=SSL_OP_DO_NOT_SEND_RI;
 		else if	(strcmp(*argv,"-legacy_server_connect") == 0)
 			{ off|=SSL_OP_LEGACY_SERVER_CONNECT; }
 		else if	(strcmp(*argv,"-no_legacy_server_connect") == 0)
diff --git a/apps/s_server.c b/apps/s_server.c
index 957ec07..4fab1fc 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -492,6 +492,9 @@ static void sv_usage(void)
 	BIO_printf(bio_err," -tlsextdebug  - hex dump of all TLS extensions received\n");
 	BIO_printf(bio_err," -no_ticket    - disable use of RFC4507bis session tickets\n");
 	BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
+    BIO_printf(bio_err," -handle_cpro_bug      - send fake extension (65000) to allow broken GOST clients to connect\n");
+    BIO_printf(bio_err," -not_send_ri          - do not sent renegotiation_info extension\n");
+    
 #endif
 	}
 
@@ -1124,6 +1127,11 @@ int MAIN(int argc, char *argv[])
 			{ off|=SSL_OP_NO_TLSv1; }
 		else if	(strcmp(*argv,"-no_comp") == 0)
 			{ off|=SSL_OP_NO_COMPRESSION; }
+        else if	(strcmp(*argv,"-handle_cpro_bug") == 0)
+			{ off|=SSL_OP_CRYPTOPRO_TLSEXT_BUG; }
+        else if	(strcmp(*argv,"-not_send_ri") == 0)
+			{ off|=SSL_OP_DO_NOT_SEND_RI; }
+
 #ifndef OPENSSL_NO_TLSEXT
 		else if	(strcmp(*argv,"-no_ticket") == 0)
 			{ off|=SSL_OP_NO_TICKET; }
diff --git a/ssl/ssl.h b/ssl/ssl.h
index e4c3f65..3c0adc6 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -527,6 +527,16 @@ typedef struct ssl_session_st
 #define SSL_OP_TLS_D5_BUG				0x00000100L
 #define SSL_OP_TLS_BLOCK_PADDING_BUG			0x00000200L
 
+/* Do not send renegotiation_info TLS extension.
+ * Required for compatibility with clients, which can't understand this extension 
+ * (but do require other extensions).
+ * Among others, it is Windows clients, which do not support KB980436 correctly
+ * (KB980436 is a Windows Update, implemented RFC5746 (http://tools.ietf.org/html/rfc5746) 
+ * "TLS Renegotiation Indication Extension"
+ * http://support.microsoft.com/kb/980436
+ */    
+#define SSL_OP_DO_NOT_SEND_RI                   0x00000400L
+
 /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
  * in OpenSSL 0.9.6d.  Usually (depending on the application protocol)
  * the workaround is not needed.  Unfortunately some broken SSL/TLS
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 85371c8..57d3f3e 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -276,9 +276,13 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
 	unsigned char *ret = p;
 
 	/* don't add extensions for SSLv3 unless doing secure renegotiation */
-	if (s->client_version == SSL3_VERSION
-					&& !s->s3->send_connection_binding)
+	if (s->client_version == SSL3_VERSION &&
+            (   !s->s3->send_connection_binding
+             || (SSL_get_options(s) & SSL_OP_DO_NOT_SEND_RI))
+       )
+        {
 		return p;
+        }
 
 	ret+=2;
 
@@ -317,7 +321,8 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
 		}
 
         /* Add RI if renegotiating */
-        if (s->new_session)
+        if (s->new_session 
+                  &&  !(SSL_get_options(s) & SSL_OP_DO_NOT_SEND_RI))
           {
           int el;
           
@@ -507,8 +512,13 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
 	unsigned char *ret = p;
 
 	/* don't add extensions for SSLv3, unless doing secure renegotiation */
-	if (s->version == SSL3_VERSION && !s->s3->send_connection_binding)
+	if (s->version == SSL3_VERSION && 
+         (!s->s3->send_connection_binding
+          || (SSL_get_options(s) & SSL_OP_DO_NOT_SEND_RI))
+       )
+        {
 		return p;
+        }
 	
 	ret+=2;
 	if (ret>=limit) return NULL; /* this really never occurs, but ... */
@@ -521,7 +531,8 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
 		s2n(0,ret);
 		}
 
-	if(s->s3->send_connection_binding)
+	if(s->s3->send_connection_binding
+            && !(SSL_get_options(s) & SSL_OP_DO_NOT_SEND_RI))
         {
           int el;