diff --git a/confluent_server/confluent/sockapi.py b/confluent_server/confluent/sockapi.py
index adb44cf1..db6d5864 100644
--- a/confluent_server/confluent/sockapi.py
+++ b/confluent_server/confluent/sockapi.py
@@ -338,6 +338,7 @@ def _tlsstartup(cnn):
         ctx.set_cipher_list(
             'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:'
             'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384')
+        ctx.set_tmp_ecdh(crypto.get_elliptic_curve('secp384r1'))
         ctx.use_certificate_file('/etc/confluent/srvcert.pem')
         ctx.use_privatekey_file('/etc/confluent/privkey.pem')
         ctx.set_verify(libssln.VERIFY_PEER, lambda *args: True)
@@ -357,7 +358,6 @@ def _tlsstartup(cnn):
             ctx.set_ciphers(
                 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:'
                 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384')
-            ctx.set_tmp_ecdh(crypto.get_elliptic_curve('secp384r1'))
             ctx.load_cert_chain('/etc/confluent/srvcert.pem',
                                 '/etc/confluent/privkey.pem')
             cnn = ctx.wrap_socket(cnn, server_side=True)