diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 96d81d2b..0bb7b91c 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -505,7 +505,8 @@ start:
     /* Begin a new handshake. */
     ssl->s3->total_renegotiations++;
     ssl->state = SSL_ST_CONNECT;
-    i = ssl->handshake_func(ssl);
+    /* TODO(davidben): Lift this call up to SSL_read. */
+    i = SSL_do_handshake(ssl);
     if (i < 0) {
       return i;
     }
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 25e13496..74c2d26b 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -559,6 +559,11 @@ int SSL_do_handshake(SSL *ssl) {
     return -1;
   }
 
+  if (ssl->s3->send_shutdown != ssl_shutdown_none) {
+    OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);
+    return -1;
+  }
+
   if (!SSL_in_init(ssl)) {
     return 1;
   }
@@ -599,6 +604,11 @@ static int ssl_read_impl(SSL *ssl, void *buf, int num, int peek) {
     return -1;
   }
 
+  if (ssl->s3->send_shutdown != ssl_shutdown_none) {
+    OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);
+    return -1;
+  }
+
   /* This may require multiple iterations. False Start will cause
    * |ssl->handshake_func| to signal success one step early, but the handshake
    * must be completely finished before other modes are accepted. */