diff --git a/offlineimap.conf b/offlineimap.conf
index 95611f0..9d003cb 100644
--- a/offlineimap.conf
+++ b/offlineimap.conf
@@ -753,6 +753,9 @@ remotehost = examplehost
 #   - ssl3 (less desirable than tls1)
 #   - ssl23 (can fallback up to ssl3)
 #
+# When tls_level is not set to tls_compat, the ssl_version configuration option
+# must be explicitly set.
+#
 #tls_level = tls_compat
 
 
diff --git a/offlineimap/imaplibutil.py b/offlineimap/imaplibutil.py
index a3824dd..16c3b28 100644
--- a/offlineimap/imaplibutil.py
+++ b/offlineimap/imaplibutil.py
@@ -22,10 +22,11 @@ import threading
 import socket
 import errno
 import zlib
-import six
 from sys import exc_info
 from hashlib import sha1
 
+import six
+
 from offlineimap import OfflineImapError
 from offlineimap.ui import getglobalui
 from offlineimap.virtual_imaplib2 import IMAP4, IMAP4_SSL, InternalDate, Mon2num
diff --git a/offlineimap/imapserver.py b/offlineimap/imapserver.py
index c0a5697..5dbbfb6 100644
--- a/offlineimap/imapserver.py
+++ b/offlineimap/imapserver.py
@@ -20,15 +20,16 @@ import socket
 import base64
 import json
 import urllib
-import socket
 import time
 import errno
-import six
-from sys import exc_info
+import socket
 from socket import gaierror
+from sys import exc_info
 from ssl import SSLError, cert_time_to_seconds
 from threading import Lock, BoundedSemaphore, Thread, Event, currentThread
 
+import six
+
 import offlineimap.accounts
 from offlineimap import imaplibutil, imaputil, threadutil, OfflineImapError
 from offlineimap.ui import getglobalui
@@ -102,10 +103,14 @@ class IMAPServer(object):
         if self.sslcacertfile is None:
             self.__verifycert = None # disable cert verification
         self.fingerprint = repos.get_ssl_fingerprint()
-        self.sslversion = repos.getsslversion()
         self.tlslevel = repos.gettlslevel()
+        self.sslversion = repos.getsslversion()
         self.starttls = repos.getstarttls()
 
+        if self.tlslevel is not "tls_compat" and self.sslversion is None:
+            raise Exception("When 'tls_version' is not 'tls_compat' "
+                "the 'ssl_version' must be set explicitly.")
+
         self.oauth2_refresh_token = repos.getoauth2_refresh_token()
         self.oauth2_access_token = repos.getoauth2_access_token()
         self.oauth2_client_id = repos.getoauth2_client_id()
@@ -494,13 +499,13 @@ class IMAPServer(object):
                 elif self.usessl:
                     self.ui.connecting(self.hostname, self.port)
                     imapobj = imaplibutil.WrappedIMAP4_SSL(
-                        self.hostname,
-                        self.port,
-                        self.sslclientkey,
-                        self.sslclientcert,
-                        self.sslcacertfile,
-                        self.__verifycert,
-                        self.sslversion,
+                        host=self.hostname,
+                        port=self.port,
+                        keyfile=self.sslclientkey,
+                        certfile=self.sslclientcert,
+                        ca_certs=self.sslcacertfile,
+                        cert_verify_cb=self.__verifycert,
+                        ssl_version=self.sslversion,
                         timeout=socket.getdefaulttimeout(),
                         fingerprint=self.fingerprint,
                         use_socket=self.proxied_socket,