diff --git a/lib/tls/openssl/openssl-client.c b/lib/tls/openssl/openssl-client.c
index 6931f15a4..23a9ffeb2 100644
--- a/lib/tls/openssl/openssl-client.c
+++ b/lib/tls/openssl/openssl-client.c
@@ -21,6 +21,8 @@
 
 #include "core/private.h"
 
+int lws_openssl_describe_cipher(struct lws *wsi);
+
 extern int openssl_websocket_private_data_index,
     openssl_SSL_CTX_private_data_index;
 
@@ -250,6 +252,7 @@ lws_tls_client_connect(struct lws *wsi)
 		lws_role_call_alpn_negotiated(wsi, (const char *)a);
 #endif
 		lwsl_info("client connect OK\n");
+		lws_openssl_describe_cipher(wsi);
 		return LWS_SSL_CAPABLE_DONE;
 	}
 
diff --git a/lib/tls/openssl/openssl-server.c b/lib/tls/openssl/openssl-server.c
index a87c920ae..7e23c2e6b 100644
--- a/lib/tls/openssl/openssl-server.c
+++ b/lib/tls/openssl/openssl-server.c
@@ -24,6 +24,8 @@
 extern int openssl_websocket_private_data_index,
 	   openssl_SSL_CTX_private_data_index;
 
+int lws_openssl_describe_cipher(struct lws *wsi);
+
 static int
 OpenSSL_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
 {
@@ -479,6 +481,9 @@ lws_tls_server_accept(struct lws *wsi)
 				    __func__, ir.ns.name);
 		else
 			lwsl_info("%s: couldn't get client cert CN\n", __func__);
+
+		lws_openssl_describe_cipher(wsi);
+
 		return LWS_SSL_CAPABLE_DONE;
 	}
 
diff --git a/lib/tls/openssl/ssl.c b/lib/tls/openssl/ssl.c
index b429e7d7a..0e847238f 100644
--- a/lib/tls/openssl/ssl.c
+++ b/lib/tls/openssl/ssl.c
@@ -25,6 +25,21 @@
 int openssl_websocket_private_data_index,
 	   openssl_SSL_CTX_private_data_index;
 
+int lws_openssl_describe_cipher(struct lws *wsi)
+{
+#if !defined(LWS_WITH_NO_LOGS)
+	int np = -1;
+	SSL *s = wsi->tls.ssl;
+
+	SSL_get_cipher_bits(s, &np);
+	lwsl_info("%s: wsi %p: %s, %s, %d bits, %s\n", __func__, wsi,
+			SSL_get_cipher_name(s), SSL_get_cipher(s), np,
+			SSL_get_cipher_version(s));
+#endif
+
+	return 0;
+}
+
 int lws_ssl_get_error(struct lws *wsi, int n)
 {
 	int m;