diff --git a/src/XrdCl/XrdClTls.cc b/src/XrdCl/XrdClTls.cc
index 09f63b582c8..c3f4ed9a5da 100644
--- a/src/XrdCl/XrdClTls.cc
+++ b/src/XrdCl/XrdClTls.cc
@@ -64,7 +64,7 @@ namespace XrdCl
       if( error == XrdTls::TLS_WantWrite )
       {
         Status st = pSocketHandler->EnableUplink();
-        if( !st.IsOK() ) status = st;
+        if( !st.IsOK() ) return st;
       }
       //----------------------------------------------------------------------
       // Otherwise disable uplink
@@ -76,7 +76,7 @@ namespace XrdCl
       }
     }
 
-    return Status();
+    return status;
   }
 
   Status Tls::Read( char *buffer, size_t size, int &bytesRead )
@@ -194,6 +194,7 @@ namespace XrdCl
     {
       case XrdTls::TLS_AOK: return Status();
 
+      case XrdTls::TLS_WantConnect:
       case XrdTls::TLS_WantWrite:
       case XrdTls::TLS_WantRead:  return Status( stOK, suRetry, error );
 
diff --git a/src/XrdTls/XrdTlsSocket.cc b/src/XrdTls/XrdTlsSocket.cc
index 54b50527ae7..bb473f55eb5 100644
--- a/src/XrdTls/XrdTlsSocket.cc
+++ b/src/XrdTls/XrdTlsSocket.cc
@@ -192,6 +192,10 @@ XrdTls::RC XrdTlsSocket::Connect(const char *thehost, XrdNetAddrInfo *netInfo,
    int rc = SSL_connect( pImpl->ssl );
    if (rc != 1) return Diagnose(rc);
 
+//  Set the hsDone flag!
+//
+   pImpl->hsDone = bool( SSL_is_init_finished( pImpl->ssl ) );
+
 // Validate the host name if so desired. Note that cert verification is
 // checked by the notary since only hostname validation requires it.
 
@@ -455,6 +459,7 @@ XrdTls::RC XrdTlsSocket::Read( char *buffer, size_t size, int &bytesRead )
     //
     if( rc > 0 )
       {bytesRead = rc;
+       if( !pImpl->hsDone ) pImpl->hsDone = bool( SSL_is_init_finished( pImpl->ssl ) );
        return XrdTls::TLS_AOK;
       }
 
@@ -552,6 +557,7 @@ XrdTls::RC XrdTlsSocket::Write( const char *buffer, size_t size,
     //
     if( rc > 0 )
       {bytesWritten = rc;
+       if( !pImpl->hsDone ) pImpl->hsDone = bool( SSL_is_init_finished( pImpl->ssl ) );
        return XrdTls::TLS_AOK;
       }