diff --git a/changes/link_negotiation_assert b/changes/link_negotiation_assert
new file mode 100644
index 0000000000..398a545573
--- /dev/null
+++ b/changes/link_negotiation_assert
@@ -0,0 +1,6 @@
+  o Major bugfixs (security):
+    - Fix a group of remotely triggerable assertion failures related to
+      incorrect link protocol negotiation. Found, diagnosed, and fixed
+      by "some guy from France." Fix for CVE-2012-2250; bugfix on
+      0.2.3.6-alpha.
+
diff --git a/src/or/channeltls.c b/src/or/channeltls.c
index 4e3c20ab71..d094d15af0 100644
--- a/src/or/channeltls.c
+++ b/src/or/channeltls.c
@@ -1229,6 +1229,15 @@ channel_tls_process_versions_cell(var_cell_t *cell, channel_tls_t *chan)
            "handshake. Closing connection.");
     connection_or_close_for_error(chan->conn, 0);
     return;
+  } else if (highest_supported_version != 2 &&
+             chan->conn->base_.state == OR_CONN_STATE_OR_HANDSHAKING_V2) {
+    /* XXXX This should eventually be a log_protocol_warn */
+    log_fn(LOG_WARN, LD_OR,
+           "Negotiated link with non-2 protocol after doing a v2 TLS "
+           "handshake with %s. Closing connection.",
+           fmt_addr(&chan->conn->base_.addr));
+    connection_or_close_for_error(chan->conn, 0);
+    return;
   }
 
   chan->conn->link_proto = highest_supported_version;