Index: tlsIO.c
==================================================================
--- tlsIO.c
+++ tlsIO.c
@@ -516,22 +516,30 @@
 		dprintf("Don't process output while callbacks are running")
 		written = -1;
 		*errorCodePtr = EAGAIN;
 		return(-1);
 	}
+
+	if (statePtr->flags & TLS_TCL_EOF) {
+		dprintf("Asked to write after reaching EOF, we are treating this as fatal.");
+		written = -1;
+		*errorCodePtr = ECONNRESET;
+		return(written);
+	}
 
 	dprintf("Calling Tls_WaitForConnect");
 	tlsConnect = Tls_WaitForConnect(statePtr, errorCodePtr, 1);
 	if (tlsConnect < 0) {
 		dprintf("Got an error waiting to connect (tlsConnect = %i, *errorCodePtr = %i)", tlsConnect, *errorCodePtr);
 
 		written = -1;
 		if (*errorCodePtr == ECONNRESET) {
-			dprintf("Got connection reset");
+			dprintf("Got connection reset (setting EOF flag)");
 			/* Soft EOF */
 			*errorCodePtr = 0;
 			written = 0;
+			statePtr->flags |= TLS_TCL_EOF;
 		}
 
 		return(written);
 	}
 
@@ -584,11 +592,11 @@
 			break;
 		case SSL_ERROR_WANT_X509_LOOKUP:
 			dprintf(" write X BLOCK");
 			break;
 		case SSL_ERROR_ZERO_RETURN:
-			dprintf(" closed");
+			dprintf(" closed (EOF reached)");
 			written = 0;
 			*errorCodePtr = 0;
 			break;
 		case SSL_ERROR_SYSCALL:
 			backingError = ERR_get_error();
@@ -615,10 +623,15 @@
 			break;
 		default:
 			dprintf(" unknown err: %d", err);
 			break;
 	}
+
+	if (toWrite != 0 && written == 0 && *errorCodePtr == 0) {
+		dprintf("Detected EOF, setting the EOF flag");
+		statePtr->flags |= TLS_TCL_EOF;
+	}
 
 	dprintf("Output(%d) -> %d", toWrite, written);
 	return(written);
 }
 

Index: tlsInt.h
==================================================================
--- tlsInt.h
+++ tlsInt.h
@@ -124,10 +124,11 @@
 					 * looping problem. [Bug 1652380] */
 #define TLS_TCL_HANDSHAKE_FAILED (1<<5) /* Set on handshake failures and once
                                          * set, all further I/O will result
                                          * in ECONNABORTED errors. */
 #define TLS_TCL_FASTPATH (1<<6)         /* The parent channel is being used directly by the SSL library */
+#define TLS_TCL_EOF (1<<7)         /* We initiated EOF, any further attempts to write will return an error */
 #define TLS_TCL_DELAY (5)
 
 /*
  * This structure describes the per-instance state
  * of an ssl channel.