diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 8a3a1b04f..0e8325346 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2487,6 +2487,7 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg)
 	}
 	if (has_ecdsa_sig) {  /* in very rare case: has ecdsa sign but not a ECDSA cipher */
 		const SSL_CIPHER *cipher;
+		uint32_t cipher_id;
 		size_t len;
 		const uint8_t *cipher_suites;
 		has_ecdsa_sig = 0;
@@ -2505,7 +2506,13 @@ int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg)
 #else
 			cipher = SSL_CIPHER_find(ssl, cipher_suites);
 #endif
-			if (cipher && SSL_CIPHER_get_auth_nid(cipher) == NID_auth_ecdsa) {
+			cipher_id = SSL_CIPHER_get_id(cipher);
+			/* skip the SCSV "fake" signaling ciphersuites because they are NID_auth_any (RFC 7507) */
+			if (cipher_id == SSL3_CK_SCSV || cipher_id == SSL3_CK_FALLBACK_SCSV)
+				continue;
+
+			if (cipher && (   SSL_CIPHER_get_auth_nid(cipher) == NID_auth_ecdsa
+			               || SSL_CIPHER_get_auth_nid(cipher) == NID_auth_any)) {
 				has_ecdsa_sig = 1;
 				break;
 			}