diff --git a/generator/states-oldstyle.c b/generator/states-oldstyle.c
index 668931b1..1aff1852 100644
--- a/generator/states-oldstyle.c
+++ b/generator/states-oldstyle.c
@@ -46,6 +46,16 @@
   gflags = be16toh (h->sbuf.old_handshake.gflags);
   eflags = be16toh (h->sbuf.old_handshake.eflags);
 
+  /* Server is unable to upgrade to TLS.  If h->tls is not require (2)
+   * then we can continue unencrypted.
+   */
+  if (h->tls == 2) {
+    SET_NEXT_STATE (%.DEAD);
+    set_error (ENOTSUP, "handshake: server is oldstyle, "
+               "but handle TLS setting is require (2)");
+    return 0;
+  }
+
   h->gflags = gflags;
   debug (h, "gflags: 0x%" PRIx16, gflags);
 
diff --git a/tests/oldstyle.c b/tests/oldstyle.c
index 64862b7e..c179c454 100644
--- a/tests/oldstyle.c
+++ b/tests/oldstyle.c
@@ -87,6 +87,23 @@ main (int argc, char *argv[])
 
   progname = argv[0];
 
+  /* Initial sanity check that we can't require TLS */
+  nbd = nbd_create ();
+  if (nbd == NULL) {
+    fprintf (stderr, "%s\n", nbd_get_error ());
+    exit (EXIT_FAILURE);
+  }
+  if (nbd_set_tls (nbd, LIBNBD_TLS_REQUIRE) == -1) {
+    fprintf (stderr, "%s\n", nbd_get_error ());
+    exit (EXIT_FAILURE);
+  }
+  if (nbd_connect_command (nbd, args) != -1) {
+    fprintf (stderr, "%s\n", "expected failure");
+    exit (EXIT_FAILURE);
+  }
+  nbd_close (nbd);
+
+  /* Now for a working connection */
   nbd = nbd_create ();
   if (nbd == NULL) {
     fprintf (stderr, "%s\n", nbd_get_error ());