diff --git a/config/external/nss/nss.def b/config/external/nss/nss.def
index ea18665d130..2e631536ce3 100644
--- a/config/external/nss/nss.def
+++ b/config/external/nss/nss.def
@@ -668,6 +668,7 @@ SSL_SetStapledOCSPResponses
 SSL_SetURL
 SSL_SNISocketConfigHook
 SSL_VersionRangeGet
+SSL_VersionRangeGetDefault
 SSL_VersionRangeGetSupported
 SSL_VersionRangeSet
 SSL_VersionRangeSetDefault
diff --git a/security/manager/ssl/nsNSSCallbacks.cpp b/security/manager/ssl/nsNSSCallbacks.cpp
index 819dfed56ee..6fb8e3080aa 100644
--- a/security/manager/ssl/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/nsNSSCallbacks.cpp
@@ -1245,9 +1245,13 @@ void HandshakeCallback(PRFileDesc* fd, void* client_data) {
   } else {
     state = nsIWebProgressListener::STATE_IS_SECURE |
             nsIWebProgressListener::STATE_SECURE_HIGH;
-    // we know this site no longer requires a weak cipher
-    ioLayerHelpers.removeInsecureFallbackSite(infoObject->GetHostName(),
-                                              infoObject->GetPort());
+    SSLVersionRange defVersion;
+    rv = SSL_VersionRangeGetDefault(ssl_variant_stream, &defVersion);
+    if (rv == SECSuccess && versions.max >= defVersion.max) {
+      // we know this site no longer requires a weak cipher
+      ioLayerHelpers.removeInsecureFallbackSite(infoObject->GetHostName(),
+                                                infoObject->GetPort());
+    }
   }
   infoObject->SetSecurityState(state);