--- modules/ssl/ssl_engine_kernel.c	2017-05-02 05:01:17.000000000 -0600
+++ modules/ssl/ssl_engine_kernel.c	2018-04-02 09:16:58.000000000 -0600
@@ -2136,6 +2136,25 @@ 
         if (servername) {
             if (ap_vhost_iterate_given_conn(c, ssl_find_vhost,
                                             (void *)servername)) {
+                SSLSrvConfigRec* sc = mySrvConfig(sslcon->server);
+                const char* version = SSL_get_version(ssl);
+                int mask = sc->server->protocol;
+                if (strcmp(version, SSL_TXT_TLSV1_2) == 0) {
+                    mask = SSL_PROTOCOL_TLSV1_2;
+                }
+                else if (strcmp(version, SSL_TXT_TLSV1_1) == 0) {
+                    mask = SSL_PROTOCOL_TLSV1_1;
+                }
+                else if (strcmp(version, SSL_TXT_TLSV1) == 0) {
+                    mask = SSL_PROTOCOL_TLSV1;
+                }
+                if (!(sc->server->protocol & mask)) {
+                    ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02045)
+                                  "Rejecting version %s for servername %s",
+                                  version, servername);
+                    return APR_EMISMATCH;
+                }
+
                 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02043)
                               "SSL virtual host for servername %s found",
                               servername);
@@ -2209,7 +2209,15 @@ 
     conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
     apr_status_t status = init_vhost(c, ssl);
     
-    return (status == APR_SUCCESS)? SSL_TLSEXT_ERR_OK : SSL_TLSEXT_ERR_NOACK;
+    switch (status) {
+    case APR_SUCCESS:
+        return SSL_TLSEXT_ERR_OK;
+    case APR_EMISMATCH:
+        *al = SSL_AD_PROTOCOL_VERSION;
+        return SSL_TLSEXT_ERR_ALERT_FATAL;
+    default:
+        return SSL_TLSEXT_ERR_NOACK;
+    }
 }
 
 /*