diff --git a/handshake/crypto_setup_client.go b/handshake/crypto_setup_client.go
index 53b8c24b..6ce08f94 100644
--- a/handshake/crypto_setup_client.go
+++ b/handshake/crypto_setup_client.go
@@ -119,6 +119,10 @@ func (h *cryptoSetupClient) handleREJMessage(cryptoData map[Tag][]byte) error {
 			return err
 		}
 
+		if h.serverConfig.IsExpired() {
+			return qerr.CryptoServerConfigExpired
+		}
+
 		// now that we have a server config, we can use its OBIT value to generate a client nonce
 		if len(h.nonc) == 0 {
 			err = h.generateClientNonce()
diff --git a/handshake/crypto_setup_client_test.go b/handshake/crypto_setup_client_test.go
index a35b643a..8e619708 100644
--- a/handshake/crypto_setup_client_test.go
+++ b/handshake/crypto_setup_client_test.go
@@ -100,6 +100,21 @@ var _ = Describe("Crypto setup", func() {
 				Expect(cs.serverConfig.ID).To(Equal(scfg[TagSCID]))
 			})
 
+			It("rejects expired server configs", func() {
+				b := &bytes.Buffer{}
+				scfg := getDefaultServerConfigClient()
+				scfg[TagEXPY] = []byte{0x80, 0x54, 0x72, 0x4F, 0, 0, 0, 0} // 2012-03-28
+				WriteHandshakeMessage(b, TagSCFG, scfg)
+				tagMap[TagSCFG] = b.Bytes()
+				// make sure we actually set TagEXPY correct
+				serverConfig, err := parseServerConfig(b.Bytes())
+				Expect(err).ToNot(HaveOccurred())
+				Expect(serverConfig.expiry.Year()).To(Equal(2012))
+				// now try to read this server config in the crypto setup
+				err = cs.handleREJMessage(tagMap)
+				Expect(err).To(MatchError(qerr.CryptoServerConfigExpired))
+			})
+
 			It("generates a client nonce after reading a server config", func() {
 				b := &bytes.Buffer{}
 				WriteHandshakeMessage(b, TagSCFG, getDefaultServerConfigClient())
diff --git a/handshake/server_config_client.go b/handshake/server_config_client.go
index 8a589562..a4e17b47 100644
--- a/handshake/server_config_client.go
+++ b/handshake/server_config_client.go
@@ -134,6 +134,10 @@ func (s *serverConfigClient) parseValues(tagMap map[Tag][]byte) error {
 	return nil
 }
 
+func (s *serverConfigClient) IsExpired() bool {
+	return s.expiry.Before(time.Now())
+}
+
 func (s *serverConfigClient) Get() []byte {
 	return s.raw
 }
diff --git a/handshake/server_config_client_test.go b/handshake/server_config_client_test.go
index 2625de93..d2a5babe 100644
--- a/handshake/server_config_client_test.go
+++ b/handshake/server_config_client_test.go
@@ -17,7 +17,7 @@ func getDefaultServerConfigClient() map[Tag][]byte {
 		TagAEAD: []byte("AESG"),
 		TagPUBS: bytes.Repeat([]byte{0}, 35),
 		TagOBIT: bytes.Repeat([]byte{0}, 8),
-		TagEXPY: bytes.Repeat([]byte{0}, 8),
+		TagEXPY: []byte{0x0, 0x6c, 0x57, 0x78, 0, 0, 0, 0}, // 2033-12-24
 	}
 }
 
@@ -45,6 +45,14 @@ var _ = Describe("Server Config", func() {
 		Expect(scfg.raw).To(Equal(b.Bytes()))
 	})
 
+	It("tells if a server config is expired", func() {
+		scfg := &serverConfigClient{}
+		scfg.expiry = time.Now().Add(-time.Second)
+		Expect(scfg.IsExpired()).To(BeTrue())
+		scfg.expiry = time.Now().Add(time.Second)
+		Expect(scfg.IsExpired()).To(BeFalse())
+	})
+
 	Context("parsing the server config", func() {
 		It("rejects a handshake message with the wrong message tag", func() {
 			var serverConfig bytes.Buffer