diff --git a/documentation/sphinx/source/release-notes/release-notes-630.rst b/documentation/sphinx/source/release-notes/release-notes-630.rst
index 7ca1a2e721..3cd90e61dc 100644
--- a/documentation/sphinx/source/release-notes/release-notes-630.rst
+++ b/documentation/sphinx/source/release-notes/release-notes-630.rst
@@ -4,6 +4,10 @@
 Release Notes
 #############
 
+6.3.12
+======
+* Change the default for --knob_tls_server_handshake_threads to 64. The previous was 1000. This avoids starting 1000 threads by default, but may adversely affect recovery time for large clusters using tls. Users with large tls clusters should consider explicitly setting this knob in their foundationdb.conf file. `(PR #4421) <https://github.com/apple/foundationdb/pull/4421>`_
+
 6.3.11
 ======
 * Added a hint field in the trace event when all replicas of some data are lost. `(PR #4209) <https://github.com/apple/foundationdb/pull/4209>`_
diff --git a/flow/Knobs.cpp b/flow/Knobs.cpp
index 7d46545a98..f337bb2cdb 100644
--- a/flow/Knobs.cpp
+++ b/flow/Knobs.cpp
@@ -92,7 +92,7 @@ void FlowKnobs::initialize(bool randomize, bool isSimulated) {
 	init( TLS_SERVER_CONNECTION_THROTTLE_ATTEMPTS,               1 );
 	init( TLS_CLIENT_CONNECTION_THROTTLE_ATTEMPTS,               1 );
 	init( TLS_CLIENT_HANDSHAKE_THREADS,                          0 );
-	init( TLS_SERVER_HANDSHAKE_THREADS,                       1000 );
+	init( TLS_SERVER_HANDSHAKE_THREADS,                         64 );
 	init( TLS_HANDSHAKE_THREAD_STACKSIZE,                64 * 1024 );
 	init( TLS_MALLOC_ARENA_MAX,                                  6 );
 	init( TLS_HANDSHAKE_LIMIT,                                1000 );
diff --git a/flow/Net2.actor.cpp b/flow/Net2.actor.cpp
index b74ca9a7b9..255a2496c1 100644
--- a/flow/Net2.actor.cpp
+++ b/flow/Net2.actor.cpp
@@ -1564,8 +1564,8 @@ THREAD_HANDLE Net2::startThread(THREAD_FUNC_RETURN (*func)(void*), void* arg) {
 
 Future<Reference<IConnection>> Net2::connect(NetworkAddress toAddr, std::string host) {
 #ifndef TLS_DISABLED
-	initTLS(ETLSInitState::CONNECT);
-	if (toAddr.isTLS()) {
+	if ( toAddr.isTLS() ) {
+		initTLS(ETLSInitState::CONNECT);
 		return SSLConnection::connect(&this->reactor.ios, this->sslContextVar.get(), toAddr);
 	}
 #endif
@@ -1649,9 +1649,9 @@ bool Net2::isAddressOnThisHost(NetworkAddress const& addr) {
 Reference<IListener> Net2::listen(NetworkAddress localAddr) {
 	try {
 #ifndef TLS_DISABLED
-		initTLS(ETLSInitState::LISTEN);
-		if (localAddr.isTLS()) {
-			return Reference<IListener>(new SSLListener(reactor.ios, &this->sslContextVar, localAddr));
+		if ( localAddr.isTLS() ) {
+			initTLS(ETLSInitState::LISTEN);
+			return Reference<IListener>(new SSLListener( reactor.ios, &this->sslContextVar, localAddr ));
 		}
 #endif
 		return Reference<IListener>(new Listener(reactor.ios, localAddr));