diff --git a/CHANGES b/CHANGES
index ccc1af907afa238e07fecd57285be19a12da42ff..5380475d8e484100a5c8745706990ae66e9e35a9 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,7 @@ OpenLDAP 2.4 Change Log
 
 OpenLDAP 2.4.21 Engineering
 	Fixed liblutil for negative time offsets (ITS#6405)
+	Fixed slapd looping with SSL/TLS connections (ITS#6412)
 	Fixed slapd use correct ce_type (ITS#6408)
 	Fixed slapo-translucent with back-null (ITS#6403)
 	Fixed slapo-unique conflict with ppolicy (ITS#6270)
diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c
index 7f8331f5329875b6bc8b486f7377b5f00383ac7b..66e49f1c4dc0e7a1edd279bfc096bbdaf0525b45 100644
--- a/servers/slapd/connection.c
+++ b/servers/slapd/connection.c
@@ -1362,8 +1362,8 @@ connection_read( ber_socket_t s, conn_readinfo *cri )
 			    c->c_connid, (int) s, c->c_tls_ssf, c->c_ssf, 0 );
 			slap_sasl_external( c, c->c_tls_ssf, &authid );
 			if ( authid.bv_val ) free( authid.bv_val );
-		} else if ( rc == 1 ) {	/* need to retry */
-			slapd_set_read( s, 0 );
+		} else if ( rc == 1 && ber_sockbuf_ctrl( c->c_sb,
+			LBER_SB_OPT_NEEDS_WRITE, NULL )) {	/* need to retry */
 			slapd_set_write( s, 1 );
 			connection_return( c );
 			return 0;