diff --git a/README.md b/README.md
index b6f8986..60b067f 100644
--- a/README.md
+++ b/README.md
@@ -138,6 +138,9 @@ Add a syslog rule (using the `saz/rsyslog` module). Default: `false`.
 ##### `log_auth`
 Log authentication requests (yes/no). Default: `no`.
 
+##### `allow_vulnerable_openssl`
+Allow the server to start with versions of OpenSSL known to have critical vulnerabilities. (yes/no). Default: `yes`.
+
 ##### `package_ensure`
 Choose whether the package is just installed and left (`installed`), or updated every Puppet run (`latest`). Default: `installed`
 
diff --git a/manifests/init.pp b/manifests/init.pp
index fdd364b..a0eae33 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -17,6 +17,7 @@
   Boolean $syslog                                              = false,
   String $syslog_facility                                      = 'daemon',
   Freeradius::Boolean $log_auth                                = 'no',
+  Freeradius::Boolean $allow_vulnerable_ssl                    = 'yes',
   Boolean $preserve_mods                                       = true,
   Boolean $correct_escapes                                     = true,
   Boolean $manage_logpath                                      = true,
diff --git a/templates/radiusd.conf.erb b/templates/radiusd.conf.erb
index 3d71565..87e8614 100644
--- a/templates/radiusd.conf.erb
+++ b/templates/radiusd.conf.erb
@@ -574,7 +574,7 @@ security {
 	#  and may not reflect patches applied to libssl by
 	#  distribution maintainers.
 	#
-	allow_vulnerable_openssl = yes
+  allow_vulnerable_openssl = <%= @allow_vulnerable_openssl%>
 }
 
 # PROXY CONFIGURATION