diff --git a/common.go b/common.go
index a888df7..f86c90d 100644
--- a/common.go
+++ b/common.go
@@ -204,7 +204,24 @@ type Config struct {
 	// connections using that key are compromised.
 	SessionTicketKey [32]byte
 
-	serverInitOnce sync.Once
+	serverInitOnce sync.Once // guards calling (*Config).serverInit
+}
+
+func (c *Config) serverInit() {
+	if c.SessionTicketsDisabled {
+		return
+	}
+
+	// If the key has already been set then we have nothing to do.
+	for _, b := range c.SessionTicketKey {
+		if b != 0 {
+			return
+		}
+	}
+
+	if _, err := io.ReadFull(c.rand(), c.SessionTicketKey[:]); err != nil {
+		c.SessionTicketsDisabled = true
+	}
 }
 
 func (c *Config) rand() io.Reader {
diff --git a/handshake_server.go b/handshake_server.go
index 7309910..823730c 100644
--- a/handshake_server.go
+++ b/handshake_server.go
@@ -33,22 +33,7 @@ func (c *Conn) serverHandshake() error {
 
 	// If this is the first server handshake, we generate a random key to
 	// encrypt the tickets with.
-	config.serverInitOnce.Do(func() {
-		if config.SessionTicketsDisabled {
-			return
-		}
-
-		// If the key has already been set then we have nothing to do.
-		for _, b := range config.SessionTicketKey {
-			if b != 0 {
-				return
-			}
-		}
-
-		if _, err := io.ReadFull(config.rand(), config.SessionTicketKey[:]); err != nil {
-			config.SessionTicketsDisabled = true
-		}
-	})
+	config.serverInitOnce.Do(config.serverInit)
 
 	hs := serverHandshakeState{
 		c: c,