diff --git a/internal/handshake/qtls.go b/internal/handshake/qtls.go
index e0b65b370..8880d9cb9 100644
--- a/internal/handshake/qtls.go
+++ b/internal/handshake/qtls.go
@@ -70,6 +70,9 @@ func tlsConfigToQtlsConfig(
 	if c == nil {
 		c = &tls.Config{}
 	}
+	// Clone the config first. This executes the tls.Config.serverInit().
+	// This sets the SessionTicketKey, if the user didn't supply one.
+	c = c.Clone()
 	// QUIC requires TLS 1.3 or newer
 	minVersion := c.MinVersion
 	if minVersion < qtls.VersionTLS13 {
diff --git a/internal/handshake/qtls_test.go b/internal/handshake/qtls_test.go
index 3e95a7feb..b999aebfe 100644
--- a/internal/handshake/qtls_test.go
+++ b/internal/handshake/qtls_test.go
@@ -63,6 +63,14 @@ var _ = Describe("qtls.Config generation", func() {
 		Expect(extHandler.received).To(BeTrue())
 	})
 
+	It("initializes such that the session ticket key remains constant", func() {
+		tlsConf := &tls.Config{}
+		qtlsConf1 := tlsConfigToQtlsConfig(tlsConf, nil, &mockExtensionHandler{})
+		qtlsConf2 := tlsConfigToQtlsConfig(tlsConf, nil, &mockExtensionHandler{})
+		Expect(qtlsConf1.SessionTicketKey).ToNot(BeZero()) // should now contain a random value
+		Expect(qtlsConf1.SessionTicketKey).To(Equal(qtlsConf2.SessionTicketKey))
+	})
+
 	Context("GetConfigForClient callback", func() {
 		It("doesn't set it if absent", func() {
 			qtlsConf := tlsConfigToQtlsConfig(&tls.Config{}, nil, &mockExtensionHandler{})