diff --git a/logsrvd/logsrvd.c b/logsrvd/logsrvd.c
index 12ec8a8e5..c4d3c0edf 100644
--- a/logsrvd/logsrvd.c
+++ b/logsrvd/logsrvd.c
@@ -122,6 +122,8 @@ connection_closure_free(struct connection_closure *closure)
 #if defined(HAVE_OPENSSL)
 	sudo_ev_free(closure->ssl_accept_ev);
 	if (closure->ssl != NULL) {
+	    sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
+		"closing down TLS connection from %s", closure->ipaddr);
 	    SSL_shutdown(closure->ssl);
 	    SSL_free(closure->ssl);
 	}
@@ -1268,10 +1270,17 @@ client_msg_cb(int fd, int what, void *v)
 		    closure->read_instead_of_write = true;
                     debug_return;
 		case SSL_ERROR_SYSCALL:
+		    if (nread == 0) {
+			/* EOF, handled below */
+			sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+			    "EOF from %s without proper TLS shutdown",
+			    closure->ipaddr);
+			break;
+		    }
 		    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
-			"unexpected error during SSL_read(): %d (%s)",
-			err, strerror(errno));
-		    goto close_connection;
+			"SSL_read from %s: %s", closure->ipaddr,
+			strerror(errno));
+                    goto close_connection;
                 default:
                     sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
                         "unexpected error during SSL_read(): %d (%s)",
diff --git a/logsrvd/logsrvd_relay.c b/logsrvd/logsrvd_relay.c
index d6a2324cf..7bda860e8 100644
--- a/logsrvd/logsrvd_relay.c
+++ b/logsrvd/logsrvd_relay.c
@@ -77,18 +77,21 @@ relay_closure_free(struct relay_closure *relay_closure)
     struct connection_buffer *buf;
     debug_decl(relay_closure_free, SUDO_DEBUG_UTIL);
 
+#if defined(HAVE_OPENSSL)
+    if (relay_closure->tls_client.ssl != NULL) {
+	sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
+	    "closing down TLS connection to %s",
+	    relay_closure->relay_name.name);
+	SSL_shutdown(relay_closure->tls_client.ssl);
+	SSL_free(relay_closure->tls_client.ssl);
+    }
+#endif
     if (relay_closure->relays != NULL)
 	address_list_delref(relay_closure->relays);
     sudo_rcstr_delref(relay_closure->relay_name.name);
     sudo_ev_free(relay_closure->read_ev);
     sudo_ev_free(relay_closure->write_ev);
     sudo_ev_free(relay_closure->connect_ev);
-#if defined(HAVE_OPENSSL)
-    if (relay_closure->tls_client.ssl != NULL) {
-	SSL_shutdown(relay_closure->tls_client.ssl);
-	SSL_free(relay_closure->tls_client.ssl);
-    }
-#endif
     free(relay_closure->read_buf.data);
     while ((buf = TAILQ_FIRST(&relay_closure->write_bufs)) != NULL) {
 	TAILQ_REMOVE(&relay_closure->write_bufs, buf, entries);
@@ -752,6 +755,14 @@ relay_server_msg_cb(int fd, int what, void *v)
 			relay_closure->relay_name.ipaddr, errstr);
                     goto close_connection;
                 case SSL_ERROR_SYSCALL:
+		    if (nread == 0) {
+			/* EOF, handled below */
+			sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+			    "EOF from %s (%s) without proper TLS shutdown",
+			    relay_closure->relay_name.name,
+			    relay_closure->relay_name.ipaddr);
+			break;
+		    }
                     errstr = strerror(errno);
 		    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
 			"SSL_read from %s (%s): %s",