diff --git a/lib/urldata.h b/lib/urldata.h
index e7341ac0f17c341f6eb5193b6041b173f7ce9bdf..ab26c0111005f0b4e21f38c11a3ec53a1d3bf551 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -7,7 +7,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -297,6 +297,7 @@ struct ssl_connect_data {
   mbedtls_x509_crl crl;
   mbedtls_pk_context pk;
   mbedtls_ssl_config config;
+  const char *protocols[3];
 #elif defined(USE_POLARSSL)
   ctr_drbg_context ctr_drbg;
   entropy_context entropy;
diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index cc71f59d92c0b4c2e4549002973c32d221a4a032..cf8996786c82e36f52173763658a4cf0a895963c 100644
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -384,19 +384,21 @@ mbedtls_connect_step1(struct connectdata *conn,
 
 #ifdef HAS_ALPN
   if(data->set.ssl_enable_alpn) {
-    const char *protocols[3];
-    const char **p = protocols;
+    const char **p = &connssl->protocols[0];
 #ifdef USE_NGHTTP2
     if(data->set.httpversion >= CURL_HTTP_VERSION_2)
       *p++ = NGHTTP2_PROTO_VERSION_ID;
 #endif
     *p++ = ALPN_HTTP_1_1;
     *p = NULL;
-    if(mbedtls_ssl_conf_alpn_protocols(&connssl->config, protocols)) {
+    /* this function doesn't clone the protocols array, which is why we need
+       to keep it around */
+    if(mbedtls_ssl_conf_alpn_protocols(&connssl->config,
+                                       &connssl->protocols[0])) {
       failf(data, "Failed setting ALPN protocols");
       return CURLE_SSL_CONNECT_ERROR;
     }
-    for(p = protocols; *p; ++p)
+    for(p = &connssl->protocols[0]; *p; ++p)
       infof(data, "ALPN, offering %s\n", *p);
   }
 #endif