@@ -387,10 +387,17 @@
 	if (statePtr->flags & TLS_TCL_CALLBACK) {
 		/* don't process any bytes while verify callback is running */
 		dprintf("Callback is running, reading 0 bytes");
 		return(0);
 	}
+
+	if (statePtr->flags & TLS_TCL_EOF) {
+		dprintf("Asked to read after reaching EOF, we are treating this as fatal.");
+		bytesRead = 0;
+		*errorCodePtr = ECONNRESET;
+		return(bytesRead);
+	}
 
 	dprintf("Calling Tls_WaitForConnect");
 	tlsConnect = Tls_WaitForConnect(statePtr, errorCodePtr, 0);
 	if (tlsConnect < 0) {
 		dprintf("Got an error waiting to connect (tlsConnect = %i, *errorCodePtr = %i)", tlsConnect, *errorCodePtr);
@@ -476,10 +483,16 @@
 			dprintf("Unknown error (err = %i), mapping to EOF", err);
 			*errorCodePtr = 0;
 			bytesRead = 0;
 			break;
 	}
+
+	if (bufSize != 0 && bytesRead == 0 && *errorCodePtr == 0) {
+		dprintf("Detected EOF, setting the EOF flag");
+		statePtr->flags |= TLS_TCL_EOF;
+		*errorCodePtr = ECONNRESET;
+	}
 
 	dprintf("Input(%d) -> %d [%d]", bufSize, bytesRead, *errorCodePtr);
 	return(bytesRead);
 }
 
@@ -516,22 +529,30 @@
 		dprintf("Don't process output while callbacks are running")
 		written = -1;
 		*errorCodePtr = EAGAIN;
 		return(-1);
 	}
+
+	if (statePtr->flags & TLS_TCL_EOF) {
+		dprintf("Asked to write after reaching EOF, we are treating this as fatal.");
+		written = 0;
+		*errorCodePtr = ECONNRESET;
+		return(written);
+	}
 
 	dprintf("Calling Tls_WaitForConnect");
 	tlsConnect = Tls_WaitForConnect(statePtr, errorCodePtr, 1);
 	if (tlsConnect < 0) {
 		dprintf("Got an error waiting to connect (tlsConnect = %i, *errorCodePtr = %i)", tlsConnect, *errorCodePtr);
 
 		written = -1;
 		if (*errorCodePtr == ECONNRESET) {
-			dprintf("Got connection reset");
+			dprintf("Got connection reset (setting EOF flag)");
 			/* Soft EOF */
-			*errorCodePtr = 0;
+			*errorCodePtr = ECONNRESET;
 			written = 0;
+			statePtr->flags |= TLS_TCL_EOF;
 		}
 
 		return(written);
 	}
 
@@ -584,11 +605,11 @@
 			break;
 		case SSL_ERROR_WANT_X509_LOOKUP:
 			dprintf(" write X BLOCK");
 			break;
 		case SSL_ERROR_ZERO_RETURN:
-			dprintf(" closed");
+			dprintf(" closed (EOF reached)");
 			written = 0;
 			*errorCodePtr = 0;
 			break;
 		case SSL_ERROR_SYSCALL:
 			backingError = ERR_get_error();
@@ -615,10 +636,16 @@
 			break;
 		default:
 			dprintf(" unknown err: %d", err);
 			break;
 	}
+
+	if (toWrite != 0 && written == 0 && *errorCodePtr == 0) {
+		dprintf("Detected EOF, setting the EOF flag");
+		statePtr->flags |= TLS_TCL_EOF;
+		*errorCodePtr = ECONNRESET;
+	}
 
 	dprintf("Output(%d) -> %d", toWrite, written);
 	return(written);
 }