diff --git a/CHANGELOG b/CHANGELOG
index df59f2b6c..54a5a788c 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,9 @@
 #Nmap Changelog ($Id$); -*-text-*-
 
+o [NSE][GH#2237] Prevent the ssl-* NSE scripts from probing ports that were
+  excluded from version scan, usually 9100-9107, since JetDirect will print
+  anything sent to these ports. [Daniel Miller]
+
 o Nmap's retransmission limits were preventing some UDP payloads from being
   tried with -sU and -PU. Now, Nmap ensures each payload for a particular port
   is sent at least once, unless --max-retries prevents it. [Daniel Miller]
diff --git a/nselib/shortport.lua b/nselib/shortport.lua
index bb0da9e19..879fdcd4d 100644
--- a/nselib/shortport.lua
+++ b/nselib/shortport.lua
@@ -248,7 +248,9 @@ function ssl(host, port)
   -- If we're just looking up port info, stop here.
   if not host then return false end
   -- if we didn't detect something *not* SSL, check it ourselves
-  if port.version and port.version.name_confidence <= 3 and host.registry then
+  -- but don't check if it's an excluded port
+  if port.version and port.version.name_confidence <= 3 and host.registry
+    and not nmap.port_is_excluded(port.number, port.protocol) then
     comm = comm or require "comm"
     host.registry.ssl = host.registry.ssl or {}
     local mtx = nmap.mutex(host.registry.ssl)