diff --git a/src/include/ipxe/tls.h b/src/include/ipxe/tls.h
index 6985ae63f..4e5e25755 100644
--- a/src/include/ipxe/tls.h
+++ b/src/include/ipxe/tls.h
@@ -82,6 +82,9 @@ struct tls_header {
 #define TLS_ALERT_WARNING 1
 #define TLS_ALERT_FATAL 2
 
+/* TLS alert descriptions */
+#define TLS_ALERT_CLOSE_NOTIFY 0
+
 /* TLS cipher specifications */
 #define TLS_RSA_WITH_NULL_MD5 0x0001
 #define TLS_RSA_WITH_NULL_SHA 0x0002
diff --git a/src/net/tls.c b/src/net/tls.c
index 73d470221..d100b9daa 100644
--- a/src/net/tls.c
+++ b/src/net/tls.c
@@ -2060,8 +2060,16 @@ static int tls_new_alert ( struct tls_connection *tls,
 	/* Handle alert */
 	switch ( alert->level ) {
 	case TLS_ALERT_WARNING:
-		DBGC ( tls, "TLS %p received warning alert %d\n",
-		       tls, alert->description );
+		switch ( alert->description ) {
+		case TLS_ALERT_CLOSE_NOTIFY:
+			DBGC ( tls, "TLS %p closed by notification\n", tls );
+			tls_close ( tls, 0 );
+			break;
+		default:
+			DBGC ( tls, "TLS %p received warning alert %d\n",
+			       tls, alert->description );
+			break;
+		}
 		return 0;
 	case TLS_ALERT_FATAL:
 		DBGC ( tls, "TLS %p received fatal alert %d\n",