diff --git a/handler/src/main/java/io/netty/handler/ssl/CipherSuiteConverter.java b/handler/src/main/java/io/netty/handler/ssl/CipherSuiteConverter.java
index a3afeda3fe..1737ad1e1d 100644
--- a/handler/src/main/java/io/netty/handler/ssl/CipherSuiteConverter.java
+++ b/handler/src/main/java/io/netty/handler/ssl/CipherSuiteConverter.java
@@ -276,6 +276,11 @@ final class CipherSuiteConverter {
         Map<String, String> p2j = o2j.get(openSslCipherSuite);
         if (p2j == null) {
             p2j = cacheFromOpenSsl(openSslCipherSuite);
+            // This may happen if this method is queried when OpenSSL doesn't yet have a cipher setup. It will return
+            // "(NONE)" in this case.
+            if (p2j == null) {
+                return null;
+            }
         }
 
         String javaCipherSuite = p2j.get(protocol);
diff --git a/handler/src/test/java/io/netty/handler/ssl/CipherSuiteConverterTest.java b/handler/src/test/java/io/netty/handler/ssl/CipherSuiteConverterTest.java
index 92e1aad49c..11c6f2d229 100644
--- a/handler/src/test/java/io/netty/handler/ssl/CipherSuiteConverterTest.java
+++ b/handler/src/test/java/io/netty/handler/ssl/CipherSuiteConverterTest.java
@@ -20,8 +20,10 @@ import io.netty.util.internal.logging.InternalLogger;
 import io.netty.util.internal.logging.InternalLoggerFactory;
 import org.junit.Test;
 
-import static org.hamcrest.Matchers.*;
-import static org.junit.Assert.*;
+import static org.hamcrest.Matchers.is;
+import static org.hamcrest.Matchers.sameInstance;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertThat;
 
 public class CipherSuiteConverterTest {
 
@@ -271,6 +273,34 @@ public class CipherSuiteConverterTest {
         testCachedJ2OMapping("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "ECDHE-ECDSA-AES128-SHA256");
     }
 
+    @Test
+    public void testUnknownOpenSSLCiphersToJava() {
+        testUnknownOpenSSLCiphersToJava("(NONE)");
+        testUnknownOpenSSLCiphersToJava("unknown");
+        testUnknownOpenSSLCiphersToJava("");
+    }
+
+    @Test
+    public void testUnknownJavaCiphersToOpenSSL() {
+        testUnknownJavaCiphersToOpenSSL("(NONE)");
+        testUnknownJavaCiphersToOpenSSL("unknown");
+        testUnknownJavaCiphersToOpenSSL("");
+    }
+
+    private void testUnknownOpenSSLCiphersToJava(String openSslCipherSuite) {
+        CipherSuiteConverter.clearCache();
+
+        assertNull(CipherSuiteConverter.toJava(openSslCipherSuite, "TLS"));
+        assertNull(CipherSuiteConverter.toJava(openSslCipherSuite, "SSL"));
+    }
+
+    private void testUnknownJavaCiphersToOpenSSL(String javaCipherSuite) {
+        CipherSuiteConverter.clearCache();
+
+        assertNull(CipherSuiteConverter.toOpenSsl(javaCipherSuite));
+        assertNull(CipherSuiteConverter.toOpenSsl(javaCipherSuite));
+    }
+
     private static void testCachedJ2OMapping(String javaCipherSuite, String openSslCipherSuite) {
         CipherSuiteConverter.clearCache();