diff --git a/handshake/crypto_setup.go b/handshake/crypto_setup.go
index 962bc24b..0c2de643 100644
--- a/handshake/crypto_setup.go
+++ b/handshake/crypto_setup.go
@@ -74,7 +74,7 @@ func (h *CryptoSetup) HandleCryptoStream() error {
 		cachingReader := utils.NewCachingReader(h.cryptoStream)
 		messageTag, cryptoData, err := ParseHandshakeMessage(cachingReader)
 		if err != nil {
-			return err
+			return qerr.HandshakeFailed
 		}
 		if messageTag != TagCHLO {
 			return qerr.InvalidCryptoMessageType
@@ -324,11 +324,3 @@ func (h *CryptoSetup) LockForSealing() {
 func (h *CryptoSetup) UnlockForSealing() {
 	h.mutex.RUnlock()
 }
-
-func (h *CryptoSetup) verifyOrCreateSTK(token []byte) ([]byte, error) {
-	err := h.scfg.stkSource.VerifyToken(h.ip, token)
-	if err != nil {
-		return h.scfg.stkSource.NewToken(h.ip)
-	}
-	return token, nil
-}
diff --git a/handshake/crypto_setup_test.go b/handshake/crypto_setup_test.go
index 82c28d84..e289ed11 100644
--- a/handshake/crypto_setup_test.go
+++ b/handshake/crypto_setup_test.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/lucas-clemente/quic-go/crypto"
 	"github.com/lucas-clemente/quic-go/protocol"
+	"github.com/lucas-clemente/quic-go/qerr"
 
 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
@@ -286,7 +287,7 @@ var _ = Describe("Crypto setup", func() {
 		})
 
 		It("recognizes inchoate CHLOs missing PUBS", func() {
-			Expect(cs.isInchoateCHLO(map[Tag][]byte{TagSCID: nil})).To(BeTrue())
+			Expect(cs.isInchoateCHLO(map[Tag][]byte{TagSCID: scfg.ID})).To(BeTrue())
 		})
 
 		It("recognizes proper CHLOs", func() {
@@ -310,6 +311,26 @@ var _ = Describe("Crypto setup", func() {
 		Expect(err).To(MatchError("CryptoMessageParameterNotFound: SNI required"))
 	})
 
+	It("errors with empty SNI", func() {
+		WriteHandshakeMessage(&stream.dataToRead, TagCHLO, map[Tag][]byte{
+			TagSTK: validSTK,
+			TagSNI: nil,
+		})
+		err := cs.HandleCryptoStream()
+		Expect(err).To(MatchError("CryptoMessageParameterNotFound: SNI required"))
+	})
+
+	It("errors with invalid message", func() {
+		err := cs.HandleCryptoStream()
+		Expect(err).To(MatchError(qerr.HandshakeFailed))
+	})
+
+	It("errors with non-CHLO message", func() {
+		WriteHandshakeMessage(&stream.dataToRead, TagPAD, nil)
+		err := cs.HandleCryptoStream()
+		Expect(err).To(MatchError(qerr.InvalidCryptoMessageType))
+	})
+
 	Context("escalating crypto", func() {
 		foobarFNVSigned := []byte{0x18, 0x6f, 0x44, 0xba, 0x97, 0x35, 0xd, 0x6f, 0xbf, 0x64, 0x3c, 0x79, 0x66, 0x6f, 0x6f, 0x62, 0x61, 0x72}