diff --git a/CMakeLists.txt b/CMakeLists.txt
index 4a366e93c..acd956639 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -243,6 +243,7 @@ if (NOT LWS_WITH_NETWORK)
 	set(LWS_WITH_SEQUENCER 0)
 	set(LWS_ROLE_DBUS 0)
 	set(LWS_WITH_LWS_DSH 0)
+	set(LWS_WITH_THREADPOOL 0)
 endif()
 
 if (LWS_WITH_STRUCT_SQLITE3)
@@ -1501,7 +1502,7 @@ if (LWS_WITH_JOSE)
 		)
 endif()
 
-if (LWS_WITH_JOSE OR LWS_WITH_GENCRYPTO)
+if (LWS_WITH_TLS AND (LWS_WITH_JOSE OR LWS_WITH_GENCRYPTO))
 	list(APPEND SOURCES
 		lib/tls/lws-gencrypto-common.c)
 endif()
@@ -2223,7 +2224,7 @@ if ((LWS_ROLE_H1 OR LWS_ROLE_H2) AND NOT LWS_WITHOUT_TESTAPPS)
 				""
 				"")
 
-			if (LWS_WITH_CGI)
+			if (LWS_WITH_CGI AND LWS_WITH_TLS)
 			create_test_app(test-sshd "test-apps/test-sshd.c"
 				""
 				""
@@ -2422,7 +2423,7 @@ if (LWS_WITH_ACME)
 			      "plugins/acme-client/protocol_lws_acme_client.c" "" "")
 endif()
 
-if (LWS_WITH_GENERIC_SESSIONS AND LWS_ROLE_WS)
+if (LWS_WITH_GENERIC_SESSIONS AND LWS_ROLE_WS AND LWS_WITH_TLS)
 	create_plugin(protocol_generic_sessions ""
                       "plugins/generic-sessions/protocol_generic_sessions.c"
 		      "plugins/generic-sessions/utils.c"
diff --git a/lib/core-net/connect.c b/lib/core-net/connect.c
index 423b52394..371f196ac 100644
--- a/lib/core-net/connect.c
+++ b/lib/core-net/connect.c
@@ -22,6 +22,7 @@
  * IN THE SOFTWARE.
  */
 
+#include <libwebsockets.h>
 #include "private-lib-core.h"
 
 struct lws *
@@ -49,6 +50,10 @@ lws_client_connect_via_info(const struct lws_client_connect_info *i)
 	if (i->local_protocol_name)
 		local = i->local_protocol_name;
 
+	if ((i->ssl_connection & LCCSCF_USE_SSL) &&
+	    lws_tls_restrict_borrow(i->context))
+		return NULL;
+
 	lws_stats_bump(&i->context->pt[tid], LWSSTATS_C_CONNS_CLIENT, 1);
 
 	/* PHASE 1: create a bare wsi */
@@ -57,6 +62,8 @@ lws_client_connect_via_info(const struct lws_client_connect_info *i)
 	if (wsi == NULL)
 		goto bail;
 
+
+
 	wsi->context = i->context;
 	wsi->desc.sockfd = LWS_SOCK_INVALID;
 	wsi->seq = i->seq;
@@ -360,6 +367,10 @@ bail:
 #if defined(LWS_ROLE_H1) || defined(LWS_ROLE_H2)
 bail2:
 #endif
+
+	if (i->ssl_connection & LCCSCF_USE_SSL)
+		lws_tls_restrict_return(i->context);
+
 	if (i->pwsi)
 		*i->pwsi = NULL;
 
diff --git a/lib/tls/mbedtls/mbedtls-ssl.c b/lib/tls/mbedtls/mbedtls-ssl.c
index 48000ac67..b534957c3 100644
--- a/lib/tls/mbedtls/mbedtls-ssl.c
+++ b/lib/tls/mbedtls/mbedtls-ssl.c
@@ -245,12 +245,8 @@ lws_ssl_close(struct lws *wsi)
 	SSL_free(wsi->tls.ssl);
 	wsi->tls.ssl = NULL;
 
-	if (!lwsi_role_client(wsi) &&
-	    wsi->context->simultaneous_ssl_restriction &&
-	    wsi->context->simultaneous_ssl-- ==
-			    wsi->context->simultaneous_ssl_restriction)
-		/* we made space and can do an accept */
-		lws_gate_accepts(wsi->context, 1);
+	if (!lwsi_role_client(wsi))
+	    lws_tls_restrict_return(wsi->context);
 
 	return 1; /* handled */
 }
diff --git a/lib/tls/openssl/openssl-ssl.c b/lib/tls/openssl/openssl-ssl.c
index 131209f34..6e59caf1e 100644
--- a/lib/tls/openssl/openssl-ssl.c
+++ b/lib/tls/openssl/openssl-ssl.c
@@ -416,11 +416,7 @@ lws_ssl_close(struct lws *wsi)
 	SSL_free(wsi->tls.ssl);
 	wsi->tls.ssl = NULL;
 
-	if (wsi->context->simultaneous_ssl_restriction &&
-	    wsi->context->simultaneous_ssl-- ==
-			    wsi->context->simultaneous_ssl_restriction)
-		/* we made space and can do an accept */
-		lws_gate_accepts(wsi->context, 1);
+	lws_tls_restrict_return(wsi->context);
 
 	// lwsl_notice("%s: ssl restr %d, simul %d\n", __func__,
 	//		wsi->context->simultaneous_ssl_restriction,
diff --git a/lib/tls/private-lib-tls.h b/lib/tls/private-lib-tls.h
index 1add27a78..8f5bcfd1b 100644
--- a/lib/tls/private-lib-tls.h
+++ b/lib/tls/private-lib-tls.h
@@ -119,6 +119,12 @@ enum lws_tls_extant {
 
 #if defined(LWS_WITH_TLS)
 
+int
+lws_tls_restrict_borrow(struct lws_context *context);
+
+void
+lws_tls_restrict_return(struct lws_context *context);
+
 typedef SSL lws_tls_conn;
 typedef SSL_CTX lws_tls_ctx;
 typedef BIO lws_tls_bio;
@@ -185,5 +191,11 @@ int
 lws_genec_confirm_curve_allowed_by_tls_id(const char *allowed, int id,
 					  struct lws_jwk *jwk);
 
+
+#else /* ! WITH_TLS */
+
+#define lws_tls_restrict_borrow(xxx) (0)
+#define lws_tls_restrict_return(xxx)
+
 #endif
 #endif
diff --git a/lib/tls/private-network.h b/lib/tls/private-network.h
index de0a7ad86..cf328763d 100644
--- a/lib/tls/private-network.h
+++ b/lib/tls/private-network.h
@@ -186,8 +186,3 @@ lws_ssl_info_callback(const lws_tls_conn *ssl, int where, int ret);
 
 int
 lws_tls_fake_POLLIN_for_buffered(struct lws_context_per_thread *pt);
-
-
-
-
-
diff --git a/lib/tls/tls-server.c b/lib/tls/tls-server.c
index 06ec65484..a7b27b512 100644
--- a/lib/tls/tls-server.c
+++ b/lib/tls/tls-server.c
@@ -140,25 +140,17 @@ lws_server_socket_service_ssl(struct lws *wsi, lws_sockfd_type accept_fd)
 			lwsl_err("%s: leaking ssl\n", __func__);
 		if (accept_fd == LWS_SOCK_INVALID)
 			assert(0);
-		if (context->simultaneous_ssl_restriction &&
-		    context->simultaneous_ssl >=
-		    	    context->simultaneous_ssl_restriction) {
-			lwsl_notice("unable to deal with SSL connection\n");
+
+		if (lws_tls_restrict_borrow(context))
 			return 1;
-		}
 
 		if (lws_tls_server_new_nonblocking(wsi, accept_fd)) {
 			if (accept_fd != LWS_SOCK_INVALID)
 				compatible_close(accept_fd);
+			lws_tls_restrict_return(context);
 			goto fail;
 		}
 
-		if (context->simultaneous_ssl_restriction &&
-		    ++context->simultaneous_ssl ==
-				    context->simultaneous_ssl_restriction)
-			/* that was the last allowed SSL connection */
-			lws_gate_accepts(context, 0);
-
 #if defined(LWS_WITH_STATS)
 		context->updated = 1;
 #endif
diff --git a/lib/tls/tls.c b/lib/tls/tls.c
index ca6508670..6f1f1739a 100644
--- a/lib/tls/tls.c
+++ b/lib/tls/tls.c
@@ -45,6 +45,35 @@ alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen,
 }
 #endif
 
+int
+lws_tls_restrict_borrow(struct lws_context *context)
+{
+	if (!context->simultaneous_ssl_restriction)
+		return 0;
+
+	if (context->simultaneous_ssl >= context->simultaneous_ssl_restriction) {
+		lwsl_notice("%s: tls connection limit %d\n", __func__,
+			    context->simultaneous_ssl);
+		return 1;
+	}
+
+	if (++context->simultaneous_ssl == context->simultaneous_ssl_restriction)
+		/* that was the last allowed SSL connection */
+		lws_gate_accepts(context, 0);
+
+	return 0;
+}
+
+void
+lws_tls_restrict_return(struct lws_context *context)
+{
+	if (context->simultaneous_ssl_restriction &&
+	    context->simultaneous_ssl-- ==
+			    context->simultaneous_ssl_restriction)
+		/* we made space and can do an accept */
+		lws_gate_accepts(context, 1);
+}
+
 void
 lws_context_init_alpn(struct lws_vhost *vhost)
 {
diff --git a/minimal-examples/raw/minimal-raw-audio/CMakeLists.txt b/minimal-examples/raw/minimal-raw-audio/CMakeLists.txt
index 7827dd407..44c15f926 100644
--- a/minimal-examples/raw/minimal-raw-audio/CMakeLists.txt
+++ b/minimal-examples/raw/minimal-raw-audio/CMakeLists.txt
@@ -65,6 +65,7 @@ ENDMACRO()
 
 set(requirements 1)
 require_lws_config(LWS_WITH_ALSA 1 requirements)
+require_lws_config(LWS_WITH_NETWORK 1 requirements)
 
 if (requirements)
 	add_executable(${SAMP} ${SRCS})