diff --git a/libretroshare/src/ft/ftcontroller.cc b/libretroshare/src/ft/ftcontroller.cc
index fe6ada159..94d252ddf 100644
--- a/libretroshare/src/ft/ftcontroller.cc
+++ b/libretroshare/src/ft/ftcontroller.cc
@@ -979,16 +979,20 @@ bool 	ftController::FileRequest(const std::string& fname, const RsFileHash& hash
 	if(alreadyHaveFile(hash, info))
 		return false ;
 
+    // the strategy for requesting encryption is the following:
+    //
+    // if policy is STRICT
+    //	- disable clear, enforce encryption
+    // else
+    //  - if not specified, use clear
+    //
     if(mDefaultEncryptionPolicy == RS_FILE_CTRL_ENCRYPTION_POLICY_STRICT)
     {
         flags |=  RS_FILE_REQ_ENCRYPTED ;
         flags &= ~RS_FILE_REQ_UNENCRYPTED ;
     }
-    else
-    {
-        flags |=  RS_FILE_REQ_ENCRYPTED ;
-        flags |=  RS_FILE_REQ_UNENCRYPTED ;
-    }
+    else if(!(flags & ( RS_FILE_REQ_ENCRYPTED |  RS_FILE_REQ_UNENCRYPTED )))
+            flags |= RS_FILE_REQ_UNENCRYPTED ;
 
 	if(size == 0)	// we treat this special case because
 	{
diff --git a/libretroshare/src/ft/ftserver.cc b/libretroshare/src/ft/ftserver.cc
index 5e112cc43..c1f826b7e 100644
--- a/libretroshare/src/ft/ftserver.cc
+++ b/libretroshare/src/ft/ftserver.cc
@@ -269,7 +269,6 @@ bool ftServer::activateTunnels(const RsFileHash& hash,TransferRequestFlags flags
 #ifdef SERVER_DEBUG
         FTSERVER_DEBUG() << "Activating tunnels for hash " << hash << std::endl;
 #endif
-
         if(flags & RS_FILE_REQ_ENCRYPTED)
         {
 #ifdef SERVER_DEBUG
@@ -277,7 +276,7 @@ bool ftServer::activateTunnels(const RsFileHash& hash,TransferRequestFlags flags
 #endif
             mTurtleRouter->monitorTunnels(hash_of_hash,this,true) ;
         }
-        if(flags & RS_FILE_REQ_UNENCRYPTED)
+        if((flags & RS_FILE_REQ_UNENCRYPTED) && (mFtController->defaultEncryptionPolicy() != RS_FILE_CTRL_ENCRYPTION_POLICY_STRICT))
         {
 #ifdef SERVER_DEBUG
             FTSERVER_DEBUG() << "  flags require no end-to-end encryption. Requesting hash " << hash << std::endl;
@@ -599,6 +598,12 @@ bool ftServer::handleTunnelRequest(const RsFileHash& hash,const RsPeerId& peer_i
         }
     }
 
+    if(mFtController->defaultEncryptionPolicy() == RS_FILE_CTRL_ENCRYPTION_POLICY_STRICT && hash == real_hash)
+    {
+        std::cerr << "(WW) rejecting file transfer for hash " << hash << " because the hash is not encrypted and encryption policy requires it." << std::endl;
+        return false ;
+    }
+
 #ifdef SERVER_DEBUG
     FTSERVER_DEBUG() << "ftServer: performing local hash search for hash " << hash << std::endl;