diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index c25f447fb..628a9b054 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -5345,6 +5345,9 @@ static int ssl_sock_handshake(struct connection *conn, unsigned int flag)
 	struct ssl_counters *counters_px = NULL;
 	struct listener *li;
 	struct server *srv;
+	socklen_t lskerr;
+	int skerr;
+
 
 	if (!conn_ctrl_ready(conn))
 		return 0;
@@ -5372,6 +5375,21 @@ static int ssl_sock_handshake(struct connection *conn, unsigned int flag)
 	if (!conn->xprt_ctx)
 		goto out_error;
 
+	/* don't start calculating a handshake on a dead connection */
+	if (conn->flags & (CO_FL_ERROR | CO_FL_SOCK_RD_SH | CO_FL_SOCK_WR_SH))
+		goto out_error;
+
+	/* FIXME/WT: for now we don't have a clear way to inspect the connection
+	 * status from the lower layers, so let's check the FD directly. Ideally
+	 * the xprt layers should provide some status indicating their knowledge
+	 * of shutdowns or error.
+	 */
+	skerr = 0;
+	lskerr = sizeof(skerr);
+	if ((getsockopt(conn->handle.fd, SOL_SOCKET, SO_ERROR, &skerr, &lskerr) < 0) ||
+	    skerr != 0)
+		goto out_error;
+
 #ifdef SSL_READ_EARLY_DATA_SUCCESS
 	/*
 	 * Check if we have early data. If we do, we have to read them