Index: pkg.sslmod/ssl_engine_init.c
--- pkg.sslmod/ssl_engine_init.c	11 May 2004 19:16:39 -0000	1.74
+++ pkg.sslmod/ssl_engine_init.c	15 Oct 2004 13:26:55 -0000	1.75
@@ -603,6 +603,14 @@
         SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER);

     /*
+     * Disallow a session from being resumed during a renegotiation,
+     * so that an acceptable cipher suite can be negotiated.
+     */
+#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+    SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
+#endif
+
+    /*
      *  Configure callbacks for SSL context
      */
     nVerify = SSL_VERIFY_NONE;
Index: pkg.sslmod/ssl_engine_kernel.c
--- pkg.sslmod/ssl_engine_kernel.c	27 May 2004 13:13:52 -0000	1.108
+++ pkg.sslmod/ssl_engine_kernel.c	15 Oct 2004 13:26:55 -0000	1.110
@@ -672,7 +672,7 @@
     X509_STORE_CTX certstorectx;
     int depth;
     STACK_OF(SSL_CIPHER) *skCipherOld;
-    STACK_OF(SSL_CIPHER) *skCipher;
+    STACK_OF(SSL_CIPHER) *skCipher = NULL;
     SSL_CIPHER *pCipher;
     ap_ctx *apctx;
     int nVerifyOld;
@@ -1067,6 +1067,20 @@
             if (cert != NULL)
                 X509_free(cert);
         }
+
+        /*
+         * Also check that SSLCipherSuite has been enforced as expected
+         */
+        if (skCipher != NULL) {
+            pCipher = SSL_get_current_cipher(ssl);
+            if (sk_SSL_CIPHER_find(skCipher, pCipher) < 0) {
+                ssl_log(r->server, SSL_LOG_ERROR,
+                        "SSL cipher suite not renegotiated: "
+                        "access to %s denied using cipher %s",
+                        r->filename, SSL_CIPHER_get_name(pCipher));
+                return FORBIDDEN;
+            }
+        }
     }

     /*