diff --git a/server/reload.go b/server/reload.go
index 0b23b298..aff64ccd 100644
--- a/server/reload.go
+++ b/server/reload.go
@@ -206,7 +206,7 @@ type tlsOption struct {
 func (t *tlsOption) Apply(server *Server) {
 	server.mu.Lock()
 	tlsRequired := t.newValue != nil
-	server.info.TLSRequired = tlsRequired
+	server.info.TLSRequired = tlsRequired && !server.getOpts().AllowNonTLS
 	message := "disabled"
 	if tlsRequired {
 		server.info.TLSVerify = (t.newValue.ClientAuth == tls.RequireAndVerifyClientCert)
diff --git a/test/tls_test.go b/test/tls_test.go
index caee38d3..26106cc0 100644
--- a/test/tls_test.go
+++ b/test/tls_test.go
@@ -1973,3 +1973,40 @@ func TestTLSPinnedCertsRoute(t *testing.T) {
 	checkNumRoutes(t, srvSeed, 0)
 	checkNumRoutes(t, srv, 0)
 }
+
+func TestAllowNonTLSReload(t *testing.T) {
+	tmpl := `
+		listen: "127.0.0.1:-1"
+		ping_interval: "%s"
+		tls {
+			ca_file: "configs/certs/ca.pem"
+			cert_file: "configs/certs/server-cert.pem"
+			key_file: "configs/certs/server-key.pem"
+		}
+		allow_non_tls: true
+	`
+	conf := createConfFile(t, []byte(fmt.Sprintf(tmpl, "10s")))
+	defer removeFile(t, conf)
+	s, o := RunServerWithConfig(conf)
+	defer s.Shutdown()
+
+	check := func() {
+		t.Helper()
+		nc := createClientConn(t, "127.0.0.1", o.Port)
+		defer nc.Close()
+		info := checkInfoMsg(t, nc)
+		if !info.TLSAvailable {
+			t.Fatal("TLSAvailable should be true, was false")
+		}
+		if info.TLSRequired {
+			t.Fatal("TLSRequired should be false, was true")
+		}
+	}
+	check()
+
+	os.WriteFile(conf, []byte(fmt.Sprintf(tmpl, "20s")), 0660)
+	if err := s.Reload(); err != nil {
+		t.Fatalf("Error on reload: %v", err)
+	}
+	check()
+}