diff --git a/lib/core-net/connect.c b/lib/core-net/connect.c
index 700d0c2c6..7c1700903 100644
--- a/lib/core-net/connect.c
+++ b/lib/core-net/connect.c
@@ -50,10 +50,6 @@ lws_client_connect_via_info(const struct lws_client_connect_info *i)
 	if (i->local_protocol_name)
 		local = i->local_protocol_name;
 
-	if ((i->ssl_connection & LCCSCF_USE_SSL) &&
-	    lws_tls_restrict_borrow(i->context))
-		return NULL;
-
 	lws_stats_bump(&i->context->pt[tid], LWSSTATS_C_CONNS_CLIENT, 1);
 
 	/* PHASE 1: create a bare wsi */
diff --git a/lib/roles/http/client/client-http.c b/lib/roles/http/client/client-http.c
index ad99acc6d..61019e19f 100644
--- a/lib/roles/http/client/client-http.c
+++ b/lib/roles/http/client/client-http.c
@@ -251,13 +251,19 @@ start_ws_handshake:
 #if defined(LWS_WITH_TLS)
 		/* we can retry this... just cook the SSL BIO the first time */
 
-		if ((wsi->tls.use_ssl & LCCSCF_USE_SSL) && !wsi->tls.ssl &&
-		    lws_ssl_client_bio_create(wsi) < 0) {
-			cce = "bio_create failed";
-			goto bail3;
-		}
-
 		if (wsi->tls.use_ssl & LCCSCF_USE_SSL) {
+
+			if (!wsi->transaction_from_pipeline_queue &&
+			    lws_tls_restrict_borrow(wsi->context)) {
+				cce = "tls restriction limit";
+				goto bail3;
+			}
+
+			if (!wsi->tls.ssl && lws_ssl_client_bio_create(wsi) < 0) {
+				cce = "bio_create failed";
+				goto bail3;
+			}
+
 			n = lws_ssl_client_connect1(wsi);
 			if (!n)
 				return 0;
diff --git a/lib/tls/mbedtls/mbedtls-ssl.c b/lib/tls/mbedtls/mbedtls-ssl.c
index b534957c3..f57a837f6 100644
--- a/lib/tls/mbedtls/mbedtls-ssl.c
+++ b/lib/tls/mbedtls/mbedtls-ssl.c
@@ -245,8 +245,7 @@ lws_ssl_close(struct lws *wsi)
 	SSL_free(wsi->tls.ssl);
 	wsi->tls.ssl = NULL;
 
-	if (!lwsi_role_client(wsi))
-	    lws_tls_restrict_return(wsi->context);
+	lws_tls_restrict_return(wsi->context);
 
 	return 1; /* handled */
 }
diff --git a/lib/tls/tls.c b/lib/tls/tls.c
index 6f1f1739a..3021c0c21 100644
--- a/lib/tls/tls.c
+++ b/lib/tls/tls.c
@@ -61,17 +61,25 @@ lws_tls_restrict_borrow(struct lws_context *context)
 		/* that was the last allowed SSL connection */
 		lws_gate_accepts(context, 0);
 
+	lwsl_info("%s: %d -> %d\n", __func__,
+		  context->simultaneous_ssl - 1,
+		  context->simultaneous_ssl);
+
 	return 0;
 }
 
 void
 lws_tls_restrict_return(struct lws_context *context)
 {
-	if (context->simultaneous_ssl_restriction &&
-	    context->simultaneous_ssl-- ==
-			    context->simultaneous_ssl_restriction)
-		/* we made space and can do an accept */
-		lws_gate_accepts(context, 1);
+	if (context->simultaneous_ssl_restriction) {
+		if (context->simultaneous_ssl-- ==
+					context->simultaneous_ssl_restriction)
+			/* we made space and can do an accept */
+			lws_gate_accepts(context, 1);
+		lwsl_info("%s: %d -> %d\n", __func__,
+			  context->simultaneous_ssl + 1,
+			  context->simultaneous_ssl);
+	}
 }
 
 void
diff --git a/minimal-examples/http-client/minimal-http-client-multi/minimal-http-client-multi.c b/minimal-examples/http-client/minimal-http-client-multi/minimal-http-client-multi.c
index a6ada9a0d..7a326c657 100644
--- a/minimal-examples/http-client/minimal-http-client-multi/minimal-http-client-multi.c
+++ b/minimal-examples/http-client/minimal-http-client-multi/minimal-http-client-multi.c
@@ -375,6 +375,9 @@ int main(int argc, const char **argv)
 	info.client_ssl_ca_filepath = "./warmcat.com.cer";
 #endif
 
+	if ((p = lws_cmdline_option(argc, argv, "--limit")))
+		info.simultaneous_ssl_restriction = atoi(p);
+
 #if defined(LWS_WITH_DETAILED_LATENCY)
 	info.detailed_latency_cb = lws_det_lat_plot_cb;
 	info.detailed_latency_filepath = "/tmp/lws-latency-results";
diff --git a/minimal-examples/http-client/minimal-http-client-multi/selftest.sh b/minimal-examples/http-client/minimal-http-client-multi/selftest.sh
index 7a0a5580e..3140fda1f 100755
--- a/minimal-examples/http-client/minimal-http-client-multi/selftest.sh
+++ b/minimal-examples/http-client/minimal-http-client-multi/selftest.sh
@@ -18,7 +18,7 @@
 
 . $5/selftests-library.sh
 
-COUNT_TESTS=22
+COUNT_TESTS=30
 
 dotest $1 $2 warmcat
 dotest $1 $2 warmcat-pipe -p
@@ -34,6 +34,14 @@ dotest $1 $2 warmcat-post-pipe-stag --post -p -s
 dotest $1 $2 warmcat-h1-post --post --h1
 dotest $1 $2 warmcat-h1-post-pipe --post --h1 -p
 dotest $1 $2 warmcat-h1-post-pipe-stag --post --h1 -p -s
+dotest $1 $2 warmcat-restrict-pipe --limit 1 -p
+dotest $1 $2 warmcat-restrict-h1-pipe --limit 1 -p --h1
+dotest $1 $2 warmcat-restrict-pipe-stag --limit 1 -p -s
+dotest $1 $2 warmcat-restrict-h1-pipe-stag --limit 1 -p --h1 -s
+dofailtest $1 $2 fail-warmcat-restrict --limit 1 
+dofailtest $1 $2 fail-warmcat-restrict-h1 --limit 1 --h1
+dofailtest $1 $2 fail-warmcat-restrict-stag --limit 1 -s
+dofailtest $1 $2 fail-warmcat-restrict-h1-stag --limit 1 --h1 -s
 
 spawn "" $5/http-server/minimal-http-server-tls $1/lws-minimal-http-server-tls
 dotest $1 $2 localhost -l