diff --git a/cmd/jetstream-controller/main.go b/cmd/jetstream-controller/main.go
index 40c24ff2..e5635446 100644
--- a/cmd/jetstream-controller/main.go
+++ b/cmd/jetstream-controller/main.go
@@ -57,6 +57,7 @@ func run() error {
 	cert := flag.String("tlscert", "", "NATS TLS public certificate")
 	key := flag.String("tlskey", "", "NATS TLS private key")
 	ca := flag.String("tlsca", "", "NATS TLS certificate authority chain")
+	tlsfirst := flag.Bool("tlsfirst", false, "If enabled, forces explicit TLS without waiting for Server INFO")
 	server := flag.String("s", "", "NATS Server URL")
 	crdConnect := flag.Bool("crd-connect", false, "If true, then NATS connections will be made from CRD config, not global config")
 	cleanupPeriod := flag.Duration("cleanup-period", 30*time.Second, "Period to run object cleanup")
@@ -111,6 +112,7 @@ func run() error {
 		NATSCA:          *ca,
 		NATSCertificate: *cert,
 		NATSKey:         *key,
+		NATSTLSFirst:    *tlsfirst,
 		KubeIface:       kc,
 		JetstreamIface:  jc,
 		Namespace:       *namespace,
diff --git a/controllers/jetstream/controller.go b/controllers/jetstream/controller.go
index 828e5561..785b3559 100644
--- a/controllers/jetstream/controller.go
+++ b/controllers/jetstream/controller.go
@@ -75,6 +75,8 @@ type Options struct {
 	NATSCertificate string
 	NATSKey         string
 
+	NATSTLSFirst bool
+
 	Namespace     string
 	CRDConnect    bool
 	CleanupPeriod time.Duration
@@ -180,6 +182,9 @@ func (c *Controller) Run() error {
 	opts := make([]nats.Option, 0)
 	// Always attempt to have a connection to NATS.
 	opts = append(opts, nats.MaxReconnects(-1))
+	if c.opts.NATSTLSFirst {
+		opts = append(opts, nats.TLSHandshakeFirst())
+	}
 	natsCtxDefaults := &natsContextDefaults{Name: c.opts.NATSClientName}
 	if !c.opts.CRDConnect {
 		// Use JWT/NKEYS based credentials if present.