diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 48adbcd..92b3680 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3310,6 +3310,13 @@
 		memcpy(parg, s->s3->tlsext_channel_id, larg < 64 ? larg : 64);
 		return 64;
 
+	case SSL_CTRL_FALLBACK_SCSV:
+		if (s->server)
+			break;
+		s->fallback_scsv = 1;
+		ret = 1;
+		break;
+
 	default:
 		break;
 		}
diff --git a/ssl/ssl.h b/ssl/ssl.h
index bdde6d5..fdb2808 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1663,6 +1663,10 @@
 	                 * 2 if we are a server and are inside a handshake
 	                 * (i.e. not just sending a HelloRequest) */
 
+	/* fallback_scsv is non-zero iff we are sending the TLS_FALLBACK_SCSV
+	 * cipher suite value. Only applies to a client. */
+	char fallback_scsv;
+
 #ifndef OPENSSL_NO_DANE
 	unsigned char *tlsa_record;
 	int tlsa_witness;
@@ -1965,6 +1969,8 @@
 #define SSL_CTRL_GET_CHANNEL_ID			118
 #define SSL_CTRL_SET_CHANNEL_ID			119
 
+#define SSL_CTRL_FALLBACK_SCSV			120
+
 #define DTLSv1_get_timeout(ssl, arg) \
 	SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
 #define DTLSv1_handle_timeout(ssl) \
@@ -2135,6 +2141,9 @@
 #define SSL_get0_ec_point_formats(s, plst) \
 	SSL_ctrl(s,SSL_CTRL_GET_EC_POINT_FORMATS,0,(char *)plst)
 
+#define SSL_enable_fallback_scsv(s) \
+	SSL_ctrl(s, SSL_CTRL_FALLBACK_SCSV, 0, NULL)
+
 #ifndef OPENSSL_NO_BIO
 BIO_METHOD *BIO_f_ssl(void);
 BIO *BIO_new_ssl(SSL_CTX *ctx,int client);
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 2b4f07c..50a36dc 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1558,6 +1558,9 @@
 	if (sk == NULL) return(0);
 	q=p;
 
+	if (put_cb == NULL)
+		put_cb = s->method->put_cipher_by_char;
+
 	for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
 		{
 		c=sk_SSL_CIPHER_value(sk,i);
@@ -1575,23 +1578,35 @@
 				no_scsv = 1;
 			}
 #endif
-		j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
-		p+=j;
+		j = put_cb(c, p);
+		p += j;
 		}
 	/* If p == q, no ciphers and caller indicates an error. Otherwise
 	 * add SCSV if not renegotiating.
 	 */
-	if (p != q && !no_scsv)
+	if (p != q)
 		{
-		static SSL_CIPHER scsv =
+		if (!no_scsv)
 			{
-			0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
-			};
-		j = put_cb ? put_cb(&scsv,p) : ssl_put_cipher_by_char(s,&scsv,p);
-		p+=j;
+			static SSL_CIPHER scsv =
+				{
+				0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
+				};
+			j = put_cb(&scsv, p);
+			p += j;
 #ifdef OPENSSL_RI_DEBUG
-		fprintf(stderr, "SCSV sent by client\n");
+			fprintf(stderr, "SCSV sent by client\n");
 #endif
+			}
+		if (s->fallback_scsv)
+			{
+			static SSL_CIPHER fallback_scsv =
+				{
+				0, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
+				};
+			j = put_cb(&fallback_scsv, p);
+			p += j;
+			}
 		}
 
 	return(p-q);
diff --git a/ssl/test/client_shim.cc b/ssl/test/client_shim.cc
index 9beaf59..e4a18d7 100644
--- a/ssl/test/client_shim.cc
+++ b/ssl/test/client_shim.cc
@@ -53,13 +53,24 @@
   return NULL;
 }
 
-int main() {
+int main(int argc, char **argv) {
+  int i;
+
   SSL *client = setup_test();
   if (client == NULL) {
     BIO_print_errors_fp(stdout);
     return 1;
   }
 
+  for (i = 1; i < argc; i++) {
+    if (strcmp(argv[i], "-fallback-scsv") == 0) {
+      SSL_enable_fallback_scsv(client);
+    } else {
+      fprintf(stderr, "Unknown argument: %s\n", argv[i]);
+      return 1;
+    }
+  }
+
   if (SSL_connect(client) != 1) {
     SSL_free(client);
     BIO_print_errors_fp(stdout);
diff --git a/ssl/test/runner/cipher_suites.go b/ssl/test/runner/cipher_suites.go
index 11c8bdd..bf1a755 100644
--- a/ssl/test/runner/cipher_suites.go
+++ b/ssl/test/runner/cipher_suites.go
@@ -287,4 +287,5 @@
 	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   uint16 = 0xc02f
 	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b
 	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   uint16 = 0xc030
+	fallbackSCSV                            uint16 = 0x5600
 )
diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
index 0905e9f..fd78eb6 100644
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go
@@ -341,6 +341,10 @@
 	// PaddingFirstByteBadIf255 causes the first byte of padding to be
 	// incorrect if there's a maximum amount of padding (i.e. 255 bytes).
 	PaddingFirstByteBadIf255 bool
+
+	// FailIfNotFallbackSCSV causes a server handshake to fail if the
+	// client doesn't send the fallback SCSV value.
+	FailIfNotFallbackSCSV bool
 }
 
 func (c *Config) serverInit() {
diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go
index 7a44a94..854c7ff 100644
--- a/ssl/test/runner/handshake_server.go
+++ b/ssl/test/runner/handshake_server.go
@@ -184,6 +184,21 @@
 		return true, nil
 	}
 
+	var scsvFound bool
+
+	for _, cipherSuite := range hs.clientHello.cipherSuites {
+		if cipherSuite == fallbackSCSV {
+			scsvFound = true
+			break
+		}
+	}
+
+	if !scsvFound && config.Bugs.FailIfNotFallbackSCSV {
+		return false, errors.New("tls: no fallback SCSV found when expected")
+	} else if scsvFound && !config.Bugs.FailIfNotFallbackSCSV {
+		return false, errors.New("tls: fallback SCSV found when not expected")
+	}
+
 	var preferenceList, supportedList []uint16
 	if c.config.PreferServerCipherSuites {
 		preferenceList = c.config.cipherSuites()
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index b5743c5..1ec3795 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -47,9 +47,15 @@
 	config        Config
 	shouldFail    bool
 	expectedError string
+	// expectedLocalError, if not empty, contains a substring that must be
+	// found in the local error.
+	expectedLocalError string
 	// messageLen is the length, in bytes, of the test message that will be
 	// sent.
 	messageLen int
+	// flag, if not nil, contains a command line flag that will be passed
+	// to the shim program.
+	flag string
 }
 
 var clientTests = []testCase{
@@ -88,6 +94,16 @@
 		shouldFail:    true,
 		expectedError: ":WRONG_CURVE:",
 	},
+	{
+		name: "FallbackSCSV",
+		config: Config{
+			Bugs: ProtocolBugs{
+				FailIfNotFallbackSCSV: true,
+			},
+		},
+		shouldFail:         true,
+		expectedLocalError: "no fallback SCSV found",
+	},
 }
 
 func doExchange(tlsConn *Conn, messageLen int) error {
@@ -185,13 +201,16 @@
 	stderr := string(stderrBuf.Bytes())
 	failed := err != nil || childErr != nil
 	correctFailure := len(test.expectedError) == 0 || strings.Contains(stdout, test.expectedError)
+	localError := "none"
+	if err != nil {
+		localError = err.Error()
+	}
+	if len(test.expectedLocalError) != 0 {
+		correctFailure = correctFailure && strings.Contains(localError, test.expectedLocalError)
+	}
 
 	if failed != test.shouldFail || failed && !correctFailure {
-		localError := "none"
 		childError := "none"
-		if err != nil {
-			localError = err.Error()
-		}
 		if childErr != nil {
 			childError = childErr.Error()
 		}
@@ -203,7 +222,7 @@
 		case !failed && test.shouldFail:
 			msg = "unexpected success"
 		case failed && !correctFailure:
-			msg = "bad error (wanted '" + test.expectedError + "')"
+			msg = "bad error (wanted '" + test.expectedError + "' / '" + test.expectedLocalError + "')"
 		default:
 			panic("internal error")
 		}