diff --git a/credentials/tls.go b/credentials/tls.go
index 0d43632fc..28b4f6232 100644
--- a/credentials/tls.go
+++ b/credentials/tls.go
@@ -82,13 +82,16 @@ func (c *tlsCreds) ClientHandshake(ctx context.Context, authority string, rawCon
 	errChannel := make(chan error, 1)
 	go func() {
 		errChannel <- conn.Handshake()
+		close(errChannel)
 	}()
 	select {
 	case err := <-errChannel:
 		if err != nil {
+			conn.Close()
 			return nil, nil, err
 		}
 	case <-ctx.Done():
+		conn.Close()
 		return nil, nil, ctx.Err()
 	}
 	return internal.WrapSyscallConn(rawConn, conn), TLSInfo{conn.ConnectionState(), CommonAuthInfo{PrivacyAndIntegrity}}, nil
@@ -97,6 +100,7 @@ func (c *tlsCreds) ClientHandshake(ctx context.Context, authority string, rawCon
 func (c *tlsCreds) ServerHandshake(rawConn net.Conn) (net.Conn, AuthInfo, error) {
 	conn := tls.Server(rawConn, c.config)
 	if err := conn.Handshake(); err != nil {
+		conn.Close()
 		return nil, nil, err
 	}
 	return internal.WrapSyscallConn(rawConn, conn), TLSInfo{conn.ConnectionState(), CommonAuthInfo{PrivacyAndIntegrity}}, nil