diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index fbd3c63fb5d..943dd2d6767 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -1381,6 +1381,8 @@ open_client_SSL(PGconn *conn)
 					else if (r == -1 && save_errno != 0)
 						libpq_append_conn_error(conn, "SSL SYSCALL error: %s",
 												SOCK_STRERROR(save_errno, sebuf, sizeof(sebuf)));
+					else if (save_errno == 0 && vcode == X509_V_OK && ecode == 0)
+						libpq_append_conn_error(conn, "SSL error: handshake failure");
 					else
 						libpq_append_conn_error(conn, "SSL SYSCALL error: EOF detected");
 					pgtls_close(conn);
diff --git a/src/test/ssl/t/004_sni.pl b/src/test/ssl/t/004_sni.pl
index 4e06475b125..878e32ff107 100644
--- a/src/test/ssl/t/004_sni.pl
+++ b/src/test/ssl/t/004_sni.pl
@@ -47,6 +47,9 @@ $ENV{PGHOST} = $node->host;
 $ENV{PGPORT} = $node->port;
 $node->start;
 
+my $exec_backend = $node->safe_psql('postgres', 'SHOW debug_exec_backend');
+chomp($exec_backend);
+
 $ssl_server->configure_test_server_for_ssl($node, $SERVERHOSTADDR,
 	$SERVERHOSTCIDR, 'trust');
 
@@ -320,9 +323,10 @@ unlike(
 
 SKIP:
 {
-	# Passphrase reloads must be enabled on Windows to succeed even without a
-	# restart
-	skip "Passphrase command reload required on Windows", 1 if ($windows_os);
+	# Passphrase reloads must be enabled on Windows (and EXEC_BACKEND) to
+	# succeed even without a restart
+	skip "Passphrase command reload required on Windows", 1
+		if ($windows_os || $exec_backend =~ /on/);
 
 	$node->connect_ok(
 		"$connstr sslrootcert=ssl/root+server_ca.crt sslmode=require host=localhost",