diff --git a/lib/core-net/service.c b/lib/core-net/service.c
index bad4b1538..af16ffa46 100644
--- a/lib/core-net/service.c
+++ b/lib/core-net/service.c
@@ -587,18 +587,17 @@ lws_service_flag_pending(struct lws_context *context, int tsi)
 
 		if (wsi->position_in_fds_table >= 0) {
 
-		pt->fds[wsi->position_in_fds_table].revents |=
-			pt->fds[wsi->position_in_fds_table].events & LWS_POLLIN;
-		if (pt->fds[wsi->position_in_fds_table].revents & LWS_POLLIN) {
-			forced = 1;
-			/*
-			 * he's going to get serviced now, take him off the
-			 * list of guys with buffered SSL.  If he still has some
-			 * at the end of the service, he'll get put back on the
-			 * list then.
-			 */
-			__lws_ssl_remove_wsi_from_buffered_list(wsi);
-		}
+			pt->fds[wsi->position_in_fds_table].revents |=
+				pt->fds[wsi->position_in_fds_table].events &
+								LWS_POLLIN;
+			if (pt->fds[wsi->position_in_fds_table].revents &
+								LWS_POLLIN)
+				/*
+				 * We're not going to remove the wsi from the
+				 * pending tls list.  The processing will have
+				 * to do it if he exhausts the pending tls.
+				 */
+				forced = 1;
 		}
 
 	} lws_end_foreach_dll_safe(p, p1);
diff --git a/lib/tls/mbedtls/mbedtls-ssl.c b/lib/tls/mbedtls/mbedtls-ssl.c
index f57a837f6..f535aed4a 100644
--- a/lib/tls/mbedtls/mbedtls-ssl.c
+++ b/lib/tls/mbedtls/mbedtls-ssl.c
@@ -136,10 +136,12 @@ lws_ssl_capable_read(struct lws *wsi, unsigned char *buf, int len)
 	if (!wsi->tls.ssl)
 		goto bail;
 
-	if (SSL_pending(wsi->tls.ssl) &&
-	    lws_dll2_is_detached(&wsi->tls.dll_pending_tls))
-		lws_dll2_add_head(&wsi->tls.dll_pending_tls,
-				 &pt->tls.dll_pending_tls_owner);
+	if (SSL_pending(wsi->tls.ssl)) {
+		if (lws_dll2_is_detached(&wsi->tls.dll_pending_tls))
+			lws_dll2_add_head(&wsi->tls.dll_pending_tls,
+					  &pt->tls.dll_pending_tls_owner);
+	} else
+		__lws_ssl_remove_wsi_from_buffered_list(wsi);
 
 	return n;
 bail:
diff --git a/lib/tls/openssl/openssl-ssl.c b/lib/tls/openssl/openssl-ssl.c
index e1f8bd45b..6c8f5bcd5 100644
--- a/lib/tls/openssl/openssl-ssl.c
+++ b/lib/tls/openssl/openssl-ssl.c
@@ -297,10 +297,12 @@ lws_ssl_capable_read(struct lws *wsi, unsigned char *buf, int len)
 	if (!wsi->tls.ssl)
 		goto bail;
 
-	if (SSL_pending(wsi->tls.ssl) &&
-	    lws_dll2_is_detached(&wsi->tls.dll_pending_tls))
-		lws_dll2_add_head(&wsi->tls.dll_pending_tls,
-				  &pt->tls.dll_pending_tls_owner);
+	if (SSL_pending(wsi->tls.ssl)) {
+		if (lws_dll2_is_detached(&wsi->tls.dll_pending_tls))
+			lws_dll2_add_head(&wsi->tls.dll_pending_tls,
+					  &pt->tls.dll_pending_tls_owner);
+	} else
+		__lws_ssl_remove_wsi_from_buffered_list(wsi);
 
 	return n;
 bail: