diff --git a/CHANGES b/CHANGES
index c189177327..188fa778ac 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
 
+  *) mod_proxy: Play/restore the TLS-SNI on new backend connections which
+     had to be issued because the remote closed the previous/reusable one
+     during idle (keep-alive) time.  [Yann Ylavic]
+
   *) mod_proxy_http2: new experimental http2 proxy module for h2: and h2c: proxy
      urls. Uses, so far, one connection per request, reuses connections.
   
diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
index c4112d5c1f..2be33ccd7b 100644
--- a/modules/proxy/proxy_util.c
+++ b/modules/proxy/proxy_util.c
@@ -2717,12 +2717,18 @@ PROXY_DECLARE(int) ap_proxy_connect_backend(const char *proxy_function,
 
     if (conn->sock) {
         if (!(connected = ap_proxy_is_socket_connected(conn->sock))) {
-            /* FIXME: this loses conn->ssl_hostname and it will not be
-             * restablished before the SSL connection is made -> no SNI! */
+            /* This clears conn->scpool (and associated data), so backup and
+             * restore any ssl_hostname for this connection set earlier by
+             * ap_proxy_determine_connection().
+             */
+            const char *ssl_hostname = conn->ssl_hostname;
+
             socket_cleanup(conn);
             ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(00951)
                          "%s: backend socket is disconnected.",
                          proxy_function);
+
+            conn->ssl_hostname = apr_pstrdup(conn->scpool, ssl_hostname);
         }
     }
     while ((backend_addr || conn->uds_path) && !connected) {