diff --git a/CHANGES b/CHANGES
index 5c965fcfd2..f46c4ac80c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,11 @@
 Changes with Apache 2.3.0
   [Remove entries to the current 2.0 and 2.2 section below, when backported]
 
+  *) SECURITY: CAN-2005-2700 (cve.mitre.org)
+     mod_ssl: Fix a security issue where "SSLVerifyClient" was not
+     enforced in per-location context if "SSLVerifyClient optional"
+     was configured in the vhost configuration.  [Joe Orton]
+
   *) mod_cgid: run the get_suexec_identity hook within the request-handler 
      instead of within cgid. PR36410. [Colm MacCarthaigh]
 
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 25b8a4879f..02ee92a806 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -406,8 +406,8 @@ int ssl_hook_Access(request_rec *r)
                 (!(verify_old & SSL_VERIFY_PEER) &&
                   (verify     & SSL_VERIFY_PEER)) ||
 
-                (!(verify_old & SSL_VERIFY_PEER_STRICT) &&
-                  (verify     & SSL_VERIFY_PEER_STRICT)))
+                (!(verify_old & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) &&
+                  (verify     & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)))
             {
                 renegotiate = TRUE;
                 /* optimization */