diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 9ca300c0..df232894 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1960,7 +1960,7 @@ cleanup:
 
 bool
 tls_session_update_crypto_params(struct tls_session *session,
-                                 const struct options *options, struct frame *frame)
+                                 struct options *options, struct frame *frame)
 {
     if (!session->opt->server
         && 0 != strcmp(options->ciphername, session->opt->config_ciphername)
@@ -1969,6 +1969,8 @@ tls_session_update_crypto_params(struct tls_session *session,
         msg(D_TLS_ERRORS, "Error: pushed cipher not allowed - %s not in %s or %s",
             options->ciphername, session->opt->config_ciphername,
             options->ncp_ciphers);
+        /* undo cipher push, abort connection setup */
+        options->ciphername = session->opt->config_ciphername;
         return false;
     }
 
diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h
index 56ea6013..0e0f68fa 100644
--- a/src/openvpn/ssl.h
+++ b/src/openvpn/ssl.h
@@ -481,7 +481,7 @@ void tls_update_remote_addr(struct tls_multi *multi,
  * @return true if updating succeeded, false otherwise.
  */
 bool tls_session_update_crypto_params(struct tls_session *session,
-                                      const struct options *options, struct frame *frame);
+                                      struct options *options, struct frame *frame);
 
 /**
  * "Poor man's NCP": Use peer cipher if it is an allowed (NCP) cipher.