diff --git a/CHANGES b/CHANGES
index d0477aeade9bcd97b991a457cd0764cf36d400b9..99921383ccc63756aee8ee083c94a56ba02bfbe3 100644
--- a/CHANGES
+++ b/CHANGES
@@ -17,6 +17,7 @@ OpenLDAP 2.4.20 Engineering
 	Fixed slapd invalid dn log message (ITS#6309)
 	Fixed slapd lockup on shutdown (ITS#6372)
 	Fixed slapd termination for one level DNs (ITS#6338)
+	Fixed slapd tls_accept to retry in certain cases (ITS#6304)
 	Fixed slapd unused parameter (ITS#6356)
 	Fixed slapd-bdb/hdb cache corruption (ITS#6341)
 	Fixed slapd-bdb/hdb entry cache (ITS#6360)
diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c
index 43faf736a511b65f30d575dcbf813fbade6c81ed..80edfb0fd0685d7c56546d412d3e009e6dfea79a 100644
--- a/servers/slapd/connection.c
+++ b/servers/slapd/connection.c
@@ -1380,6 +1380,11 @@ connection_read( ber_socket_t s, conn_readinfo *cri )
 			    c->c_connid, (int) s, c->c_tls_ssf, c->c_ssf, 0 );
 			slap_sasl_external( c, c->c_tls_ssf, &authid );
 			if ( authid.bv_val ) free( authid.bv_val );
+		} else if ( rc == 1 ) {	/* need to retry */
+			slapd_set_read( s, 0 );
+			slapd_set_write( s, 1 );
+			connection_return( c );
+			return 0;
 		}
 
 		/* if success and data is ready, fall thru to data input loop */
@@ -1879,6 +1884,14 @@ int connection_write(ber_socket_t s)
 		return -1;
 	}
 
+#ifdef HAVE_TLS
+	if ( c->c_is_tls && c->c_needs_tls_accept ) {
+		connection_return( c );
+		connection_read_activate( s );
+		return 0;
+	}
+#endif
+
 	c->c_n_write++;
 
 	Debug( LDAP_DEBUG_TRACE,