diff --git a/src/nvme/fabrics.c b/src/nvme/fabrics.c
index b0821e963..3c4997d14 100644
--- a/src/nvme/fabrics.c
+++ b/src/nvme/fabrics.c
@@ -627,6 +627,16 @@ static int build_options(nvme_host_t h, nvme_ctrl_t c, char **argstr)
 
 	ctrlkey = nvme_ctrl_get_dhchap_key(c);
 
+	if (cfg->tls && cfg->concat) {
+		nvme_msg(h->r, LOG_ERR, "cannot specify --tls and --concat together\n");
+		return -ENVME_CONNECT_INVAL;
+	}
+
+	if (cfg->concat && !hostkey) {
+		nvme_msg(h->r, LOG_ERR, "required argument [--dhchap-secret | -S] not specified with --concat\n");
+		return -ENVME_CONNECT_INVAL;
+	}
+
 	if (cfg->tls) {
 		ret = __nvme_import_keys_from_config(h, c, &keyring_id, &key_id);
 		if (ret) {
@@ -1001,6 +1011,34 @@ int nvmf_connect_ctrl(nvme_ctrl_t c)
 	return 0;
 }
 
+static void nvmf_update_tls_concat(struct nvmf_disc_log_entry *e,
+		nvme_ctrl_t c, nvme_host_t h)
+{
+	if (e->trtype != NVMF_TRTYPE_TCP ||
+	    e->tsas.tcp.sectype == NVMF_TCP_SECTYPE_NONE)
+		return;
+
+	if (e->treq & NVMF_TREQ_REQUIRED) {
+		nvme_msg(h->r, LOG_DEBUG,
+			"setting --tls due to treq %s and sectype %s\n",
+			nvmf_treq_str(e->treq),
+			nvmf_sectype_str(e->tsas.tcp.sectype));
+
+		c->cfg.tls = true;
+		return;
+	}
+
+	if (e->treq & NVMF_TREQ_NOT_REQUIRED) {
+		nvme_msg(h->r, LOG_DEBUG,
+			"setting --concat due to treq %s and sectype %s\n",
+			nvmf_treq_str(e->treq),
+			nvmf_sectype_str(e->tsas.tcp.sectype));
+
+		c->cfg.concat = true;
+		return;
+	}
+}
+
 nvme_ctrl_t nvmf_connect_disc_entry(nvme_host_t h,
 				    struct nvmf_disc_log_entry *e,
 				    const struct nvme_fabrics_config *cfg,
@@ -1099,9 +1137,8 @@ nvme_ctrl_t nvmf_connect_disc_entry(nvme_host_t h,
 	    nvmf_check_option(h->r, disable_sqflow))
 		c->cfg.disable_sqflow = true;
 
-	if (e->trtype == NVMF_TRTYPE_TCP &&
-	    e->tsas.tcp.sectype != NVMF_TCP_SECTYPE_NONE)
-		c->cfg.tls = true;
+	/* update tls or concat */
+	nvmf_update_tls_concat(e, c, h);
 
 	ret = nvmf_add_ctrl(h, c, cfg);
 	if (!ret)
diff --git a/src/nvme/tree.c b/src/nvme/tree.c
index c363cd13c..29b62ae4c 100644
--- a/src/nvme/tree.c
+++ b/src/nvme/tree.c
@@ -1980,6 +1980,20 @@ static char *nvme_ctrl_lookup_phy_slot(nvme_root_t r, const char *address)
 	return NULL;
 }
 
+static void nvme_read_sysfs_tls_mode(nvme_root_t r, nvme_ctrl_t c)
+{
+	_cleanup_free_ char *mode = NULL;
+
+	mode = nvme_get_ctrl_attr(c, "tls_mode");
+	if (!mode)
+		return;
+
+	if (!strcmp(mode, "tls"))
+		c->cfg.tls = true;
+	else if (!strcmp(mode, "concat"))
+		c->cfg.concat = true;
+}
+
 static void nvme_read_sysfs_dhchap(nvme_root_t r, nvme_ctrl_t c)
 {
 	char *host_key, *ctrl_key;
@@ -2013,10 +2027,9 @@ static void nvme_read_sysfs_tls(nvme_root_t r, nvme_ctrl_t c)
 
 	key = nvme_get_ctrl_attr(c, "tls_key");
 	if (!key) {
-		/* tls_key is only present if --tls has been used. */
+		/* tls_key is only present if --tls or --concat has been used */
 		return;
 	}
-	c->cfg.tls = true;
 
 	keyring = nvme_get_ctrl_attr(c, "tls_keyring");
 	nvme_ctrl_set_keyring(c, keyring);
@@ -2089,6 +2102,7 @@ static int nvme_reconfigure_ctrl(nvme_root_t r, nvme_ctrl_t c, const char *path,
 	c->phy_slot = nvme_ctrl_lookup_phy_slot(r, c->address);
 	nvme_read_sysfs_dhchap(r, c);
 	nvme_read_sysfs_tls(r, c);
+	nvme_read_sysfs_tls_mode(r, c);
 
 	errno = 0; /* cleanup after nvme_get_ctrl_attr() */
 	return 0;