diff -r 8a32d44b8359 Modules/_ssl.c
--- a/Modules/_ssl.c	Thu Nov 19 08:16:52 2015 -0800
+++ b/Modules/_ssl.c	Thu Nov 19 19:32:27 2015 +0000
@@ -2283,6 +2283,19 @@
         options |= SSL_OP_NO_SSLv3;
     SSL_CTX_set_options(self->ctx, options);
 
+#if defined(SSL_MODE_RELEASE_BUFFERS)
+    /* Set SSL_MODE_RELEASE_BUFFERS. This potentially greatly reduces memory
+       usage for no cost at all. However, don't do this for OpenSSL versions
+       between 1.0.0 and 1.0.1g, which are affected by CVE 2014-0198. I can't
+       find exactly which beta fixed this CVE, so be conservative and assume it
+       wasn't fixed until release.
+       See #25672 for more on this. */
+#if OPENSSL_VERSION_NUMBER < 0x10000000L || OPENSSL_VERSION_NUMBER >= 0x1000107fL
+    SSL_CTX_set_mode(self->ctx, SSL_MODE_RELEASE_BUFFERS);
+#endif
+#endif
+
+
 #ifndef OPENSSL_NO_ECDH
     /* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use
        prime256v1 by default.  This is Apache mod_ssl's initialization