diff --git a/handshake/crypto_setup_client_test.go b/handshake/crypto_setup_client_test.go
index 98bc8fea..cbee71d9 100644
--- a/handshake/crypto_setup_client_test.go
+++ b/handshake/crypto_setup_client_test.go
@@ -578,7 +578,7 @@ var _ = Describe("Crypto setup", func() {
 	})
 
 	Context("escalating crypto", func() {
-		foobarFNVSigned := []byte{0x18, 0x6f, 0x44, 0xba, 0x97, 0x35, 0xd, 0x6f, 0xbf, 0x64, 0x3c, 0x79, 0x66, 0x6f, 0x6f, 0x62, 0x61, 0x72}
+		var foobarFNVSigned []byte
 
 		doCompleteREJ := func() {
 			cs.serverVerified = true
@@ -595,6 +595,7 @@ var _ = Describe("Crypto setup", func() {
 
 		// sets all values necessary for escalating to secureAEAD
 		BeforeEach(func() {
+			foobarFNVSigned = []byte{0x18, 0x6f, 0x44, 0xba, 0x97, 0x35, 0xd, 0x6f, 0xbf, 0x64, 0x3c, 0x79, 0x66, 0x6f, 0x6f, 0x62, 0x61, 0x72}
 			kex, err := crypto.NewCurve25519KEX()
 			Expect(err).ToNot(HaveOccurred())
 			cs.serverConfig = &serverConfigClient{
@@ -706,6 +707,13 @@ var _ = Describe("Crypto setup", func() {
 				Expect(err).To(MatchError("authentication failed"))
 				Expect(enc).To(Equal(protocol.EncryptionUnspecified))
 			})
+
+			It("errors if the has the wrong hash", func() {
+				foobarFNVSigned[0]++
+				_, enc, err := cs.Open(nil, foobarFNVSigned, 0, []byte{})
+				Expect(err).To(MatchError("NullAEAD: failed to authenticate received data"))
+				Expect(enc).To(Equal(protocol.EncryptionUnspecified))
+			})
 		})
 
 		Context("initial encryption", func() {
diff --git a/handshake/crypto_setup_server_test.go b/handshake/crypto_setup_server_test.go
index 341c7e68..736efe1d 100644
--- a/handshake/crypto_setup_server_test.go
+++ b/handshake/crypto_setup_server_test.go
@@ -475,7 +475,11 @@ var _ = Describe("Crypto setup", func() {
 	})
 
 	Context("escalating crypto", func() {
-		foobarFNVSigned := []byte{0x18, 0x6f, 0x44, 0xba, 0x97, 0x35, 0xd, 0x6f, 0xbf, 0x64, 0x3c, 0x79, 0x66, 0x6f, 0x6f, 0x62, 0x61, 0x72}
+		var foobarFNVSigned []byte
+
+		BeforeEach(func() {
+			foobarFNVSigned = []byte{0x18, 0x6f, 0x44, 0xba, 0x97, 0x35, 0xd, 0x6f, 0xbf, 0x64, 0x3c, 0x79, 0x66, 0x6f, 0x6f, 0x62, 0x61, 0x72}
+		})
 
 		doCHLO := func() {
 			_, err := cs.handleCHLO("", []byte("chlo-data"), map[Tag][]byte{
@@ -502,6 +506,13 @@ var _ = Describe("Crypto setup", func() {
 				Expect(enc).To(Equal(protocol.EncryptionUnencrypted))
 			})
 
+			It("errors if the has the wrong hash", func() {
+				foobarFNVSigned[0]++
+				_, enc, err := cs.Open(nil, foobarFNVSigned, 0, []byte{})
+				Expect(err).To(MatchError("NullAEAD: failed to authenticate received data"))
+				Expect(enc).To(Equal(protocol.EncryptionUnspecified))
+			})
+
 			It("is still accepted after CHLO", func() {
 				doCHLO()
 				Expect(cs.secureAEAD).ToNot(BeNil())