diff --git a/src/quic_ssl.c b/src/quic_ssl.c
index b64df7ce2..dfa25b7ac 100644
--- a/src/quic_ssl.c
+++ b/src/quic_ssl.c
@@ -291,6 +291,19 @@ static int ha_quic_set_encryption_secrets(SSL *ssl, enum ssl_encryption_level_t
 		struct quic_tls_kp *nxt_rx = &qc->ku.nxt_rx;
 		struct quic_tls_kp *nxt_tx = &qc->ku.nxt_tx;
 
+		/* RFC 9000
+		 * 4.9.3. Discarding 0-RTT Keys 0-RTT and 1-RTT packets share the same
+		 * packet number space, and clients do not send 0-RTT packets after
+		 * sending a 1-RTT packet (Section 5.6).
+		 *
+		 * Therefore, a client SHOULD discard 0-RTT keys as soon as it installs
+		 * 1-RTT keys as they have no use after that moment.
+		 */
+		if (objt_server(qc->target) && qc->eel) {
+			TRACE_PROTO("discarding Early Data keys", QUIC_EV_CONN_PHPKTS, qc);
+			qc_enc_level_free(qc, &qc->eel);
+		}
+
 #if !defined(USE_QUIC_OPENSSL_COMPAT) && !defined(HAVE_OPENSSL_QUIC)
 		if (objt_server(qc->target)) {
 			const unsigned char *tp;