diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js
index 2e6b2e8da559db..65c684abfe89a3 100644
--- a/lib/_tls_wrap.js
+++ b/lib/_tls_wrap.js
@@ -62,32 +62,28 @@ const noop = () => {};
 function onhandshakestart(now) {
   debug('onhandshakestart');
 
-  assert(now >= this.lastHandshakeTime);
+  const { lastHandshakeTime } = this;
+  assert(now >= lastHandshakeTime);
 
-  const owner = this.owner;
+  this.lastHandshakeTime = now;
 
-  if ((now - this.lastHandshakeTime) >= tls.CLIENT_RENEG_WINDOW * 1000) {
-    this.handshakes = 0;
-  }
+  // If this is the first handshake we can skip the rest of the checks.
+  if (lastHandshakeTime === 0)
+    return;
 
-  const first = (this.lastHandshakeTime === 0);
-  this.lastHandshakeTime = now;
-  if (first) return;
+  if ((now - lastHandshakeTime) >= tls.CLIENT_RENEG_WINDOW * 1000)
+    this.handshakes = 1;
+  else
+    this.handshakes++;
 
-  if (++this.handshakes > tls.CLIENT_RENEG_LIMIT) {
-    // Defer the error event to the next tick. We're being called from OpenSSL's
-    // state machine and OpenSSL is not re-entrant. We cannot allow the user's
-    // callback to destroy the connection right now, it would crash and burn.
-    setImmediate(emitSessionAttackError, owner);
+  const { owner } = this;
+  if (this.handshakes > tls.CLIENT_RENEG_LIMIT) {
+    owner._emitTLSError(new ERR_TLS_SESSION_ATTACK());
+    return;
   }
 
-  if (owner[kDisableRenegotiation] && this.handshakes > 0) {
+  if (owner[kDisableRenegotiation])
     owner._emitTLSError(new ERR_TLS_RENEGOTIATION_DISABLED());
-  }
-}
-
-function emitSessionAttackError(socket) {
-  socket._emitTLSError(new ERR_TLS_SESSION_ATTACK());
 }
 
 function onhandshakedone() {