diff -r d489394a73de Lib/test/test_ssl.py
--- a/Lib/test/test_ssl.py	Tue Dec 17 15:12:46 2013 +0200
+++ b/Lib/test/test_ssl.py	Thu Dec 19 12:27:25 2013 +0100
@@ -150,6 +150,10 @@ class BasicSocketTests(unittest.TestCase
         else:
             self.assertRaises(ssl.SSLError, ssl.RAND_bytes, 16)
 
+        # negative num is invalid
+        self.assertRaises(ValueError, ssl.RAND_bytes, -5)
+        self.assertRaises(ValueError, ssl.RAND_pseudo_bytes, -5)
+
         self.assertRaises(TypeError, ssl.RAND_egd, 1)
         self.assertRaises(TypeError, ssl.RAND_egd, 'foo', 1)
         ssl.RAND_add("this is a random string", 75.0)
diff -r d489394a73de Modules/_ssl.c
--- a/Modules/_ssl.c	Tue Dec 17 15:12:46 2013 +0200
+++ b/Modules/_ssl.c	Thu Dec 19 12:27:25 2013 +0100
@@ -3244,6 +3244,11 @@ PySSL_RAND(int len, int pseudo)
     const char *errstr;
     PyObject *v;
 
+    if (len < 0) {
+        PyErr_SetString(PyExc_ValueError, "num must be positive");
+        return NULL;
+    }
+
     bytes = PyBytes_FromStringAndSize(NULL, len);
     if (bytes == NULL)
         return NULL;