diff --git a/lib/isc/tls.c b/lib/isc/tls.c
index a59bb4f2ad..d59e90ded6 100644
--- a/lib/isc/tls.c
+++ b/lib/isc/tls.c
@@ -453,14 +453,18 @@ isc_tlsctx_set_protocols(isc_tlsctx_t *ctx, const uint32_t tls_versions) {
 	for (uint32_t tls_ver = ISC_TLS_PROTO_VER_1_2;
 	     tls_ver < ISC_TLS_PROTO_VER_UNDEFINED; tls_ver <<= 1)
 	{
-		/* Only supported versions should ever be passed to the
-		 * function. The configuration file was not verified
-		 * properly, if we are trying to enable an unsupported
-		 * TLS version */
-		INSIST(isc_tls_protocol_supported(tls_ver));
 		if ((tls_versions & tls_ver) == 0) {
 			set_options |= get_tls_version_disable_bit(tls_ver);
 		} else {
+			/*
+			 * Only supported versions should ever be passed to the
+			 * function SSL_CTX_clear_options. For example, in order
+			 * to enable TLS v1.2, we have to clear
+			 * SSL_OP_NO_TLSv1_2. Insist that the configuration file
+			 * was verified properly, so we are not trying to enable
+			 * an unsupported TLS version.
+			 */
+			INSIST(isc_tls_protocol_supported(tls_ver));
 			clear_options |= get_tls_version_disable_bit(tls_ver);
 		}
 		versions &= ~(tls_ver);