diff --git a/ChangeLog b/ChangeLog
index 381b2a961..f39031200 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -6,6 +6,11 @@
    - markus@cvs.openbsd.org 2013/11/13 13:48:20
      [ssh-pkcs11.c]
      add missing braces found by pedro
+   - djm@cvs.openbsd.org 2013/11/20 02:19:01
+     [sshd.c]
+     delay closure of in/out fds until after "Bad protocol version
+     identification..." message, as get_remote_ipaddr/get_remote_port
+     require them open.
 
 20131110
  - (dtucker) [regress/keytype.sh] Populate ECDSA key types to be tested by
diff --git a/sshd.c b/sshd.c
index 8a62fc1a6..a53deab3b 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.410 2013/11/02 21:59:15 markus Exp $ */
+/* $OpenBSD: sshd.c,v 1.411 2013/11/20 02:19:01 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -480,11 +480,11 @@ sshd_exchange_identification(int sock_in, int sock_out)
 	    &remote_major, &remote_minor, remote_version) != 3) {
 		s = "Protocol mismatch.\n";
 		(void) atomicio(vwrite, sock_out, s, strlen(s));
-		close(sock_in);
-		close(sock_out);
 		logit("Bad protocol version identification '%.100s' "
 		    "from %s port %d", client_version_string,
 		    get_remote_ipaddr(), get_remote_port());
+		close(sock_in);
+		close(sock_out);
 		cleanup_exit(255);
 	}
 	debug("Client protocol version %d.%d; client software version %.100s",