diff --git a/.travis.yml b/.travis.yml
index ad66e0f..2138f2f 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,6 +1,6 @@
 language: go
 go:
-- 1.9
+- 1.12
 services:
 - docker
 before_install:
diff --git a/go.sum b/go.sum
index 91c9227..f38da41 100644
--- a/go.sum
+++ b/go.sum
@@ -71,8 +71,6 @@ github.com/zmap/rc2 v0.0.0-20131011165748-24b9757f5521/go.mod h1:3YZ9o3WnatTIZhu
 github.com/zmap/zcertificate v0.0.0-20180516150559-0e3d58b1bac4/go.mod h1:5iU54tB79AMBcySS0R2XIyZBAVmeHranShAFELYx7is=
 github.com/zmap/zcrypto v0.0.0-20190729165852-9051775e6a2e h1:mvOa4+/DXStR4ZXOks/UsjeFdn5O5JpLUtzqk9U8xXw=
 github.com/zmap/zcrypto v0.0.0-20190729165852-9051775e6a2e/go.mod h1:w7kd3qXHh8FNaczNjslXqvFQiv5mMWRXlL9klTUAHc8=
-github.com/zmap/zflags v1.3.0 h1:Pd79SH44p4j54+YADAFiB6dg94DI5GFUMdQkWR5cIL8=
-github.com/zmap/zflags v1.3.0/go.mod h1:HXDUD+uue8yeLHr0eXx1lvY6CvMiHbTKw5nGmA9OUoo=
 github.com/zmap/zflags v1.4.0-beta.1 h1:jzZ+wKTCksS/ltf9q19gYJ6zJuqRULuRdSWBPueEiZ8=
 github.com/zmap/zflags v1.4.0-beta.1/go.mod h1:HXDUD+uue8yeLHr0eXx1lvY6CvMiHbTKw5nGmA9OUoo=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
diff --git a/lib/ssh/handshake.go b/lib/ssh/handshake.go
index 2e50eba..d66526b 100644
--- a/lib/ssh/handshake.go
+++ b/lib/ssh/handshake.go
@@ -176,22 +176,21 @@ func (t *handshakeTransport) readOnePacket() ([]byte, error) {
 	if p[0] != msgKexInit {
 		return p, nil
 	}
-
 	t.mu.Lock()
 
 	firstKex := t.sessionID == nil
+	if !t.config.HelloOnly {
+		err = t.enterKeyExchangeLocked(p)
+		if err != nil {
+			// drop connection
+			t.conn.Close()
+			t.writeError = err
+		}
 
-	err = t.enterKeyExchangeLocked(p)
-	if err != nil {
-		// drop connection
-		t.conn.Close()
-		t.writeError = err
+		if debugHandshake {
+			log.Printf("%s exited key exchange (first %v), err %v", t.id(), firstKex, err)
+		}
 	}
-
-	if debugHandshake {
-		log.Printf("%s exited key exchange (first %v), err %v", t.id(), firstKex, err)
-	}
-
 	// Unblock writers.
 	t.sentInitMsg = nil
 	t.sentInitPacket = nil
@@ -202,7 +201,6 @@ func (t *handshakeTransport) readOnePacket() ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-
 	t.readSinceKex = 0
 
 	// By default, a key exchange is hidden from higher layers by