diff --git a/lib/core-net/client/connect.c b/lib/core-net/client/connect.c
index 18863f63e..f1028cffe 100644
--- a/lib/core-net/client/connect.c
+++ b/lib/core-net/client/connect.c
@@ -537,7 +537,7 @@ bail2:
 #endif
 
 #if defined(LWS_WITH_TLS)
-	if (i->ssl_connection & LCCSCF_USE_SSL)
+	if (wsi->tls.ssl)
 		lws_tls_restrict_return(i->context);
 #endif
 
diff --git a/lib/tls/tls-client.c b/lib/tls/tls-client.c
index f2b10f783..972438f39 100644
--- a/lib/tls/tls-client.c
+++ b/lib/tls/tls-client.c
@@ -182,10 +182,6 @@ lws_client_create_tls(struct lws *wsi, const char **pcce, int do_c1)
 		int n;
 
 		if (!wsi->tls.ssl) {
-			if (lws_ssl_client_bio_create(wsi) < 0) {
-				*pcce = "bio_create failed";
-				return CCTLS_RETURN_ERROR;
-			}
 
 #if defined(LWS_WITH_TLS)
 			if (!wsi->transaction_from_pipeline_queue &&
@@ -194,6 +190,11 @@ lws_client_create_tls(struct lws *wsi, const char **pcce, int do_c1)
 				return CCTLS_RETURN_ERROR;
 			}
 #endif
+
+			if (lws_ssl_client_bio_create(wsi) < 0) {
+				*pcce = "bio_create failed";
+				return CCTLS_RETURN_ERROR;
+			}
 		}
 
 		if (!do_c1)
diff --git a/lib/tls/tls.c b/lib/tls/tls.c
index c714fa509..b2ed2904a 100644
--- a/lib/tls/tls.c
+++ b/lib/tls/tls.c
@@ -58,16 +58,20 @@ lws_tls_restrict_borrow(struct lws_context *context)
 	}
 
 	context->simultaneous_ssl++;
+
+	lwsl_info("%s: %d -> %d\n", __func__,
+		  context->simultaneous_ssl - 1,
+		  context->simultaneous_ssl);
+
+	assert(context->simultaneous_ssl <=
+	       context->simultaneous_ssl_restriction);
+
 #if defined(LWS_WITH_SERVER)
 	if (context->simultaneous_ssl == context->simultaneous_ssl_restriction)
 		/* that was the last allowed SSL connection */
 		lws_gate_accepts(context, 0);
 #endif
 
-	lwsl_info("%s: %d -> %d\n", __func__,
-		  context->simultaneous_ssl - 1,
-		  context->simultaneous_ssl);
-
 	return 0;
 }
 
@@ -77,14 +81,16 @@ lws_tls_restrict_return(struct lws_context *context)
 	if (context->simultaneous_ssl_restriction) {
 		int n = context->simultaneous_ssl--;
 
+		lwsl_info("%s: %d -> %d\n", __func__, n,
+			  context->simultaneous_ssl);
+
+		assert(context->simultaneous_ssl >= 0);
+
 #if defined(LWS_WITH_SERVER)
 		if (n == context->simultaneous_ssl_restriction)
 			/* we made space and can do an accept */
 			lws_gate_accepts(context, 1);
 #endif
-
-		lwsl_info("%s: %d -> %d\n", __func__, n,
-			  context->simultaneous_ssl);
 	}
 }
 
@@ -100,6 +106,7 @@ lws_context_init_alpn(struct lws_vhost *vhost)
 
 	lwsl_info(" Server '%s' advertising ALPN: %s\n",
 		    vhost->name, alpn_comma);
+
 	vhost->tls.alpn_ctx.len = (uint8_t)lws_alpn_comma_to_openssl(alpn_comma,
 					vhost->tls.alpn_ctx.data,
 					sizeof(vhost->tls.alpn_ctx.data) - 1);
@@ -107,9 +114,9 @@ lws_context_init_alpn(struct lws_vhost *vhost)
 	SSL_CTX_set_alpn_select_cb(vhost->tls.ssl_ctx, alpn_cb,
 				   &vhost->tls.alpn_ctx);
 #else
-	lwsl_err(
-		" HTTP2 / ALPN configured but not supported by OpenSSL 0x%lx\n",
-		    OPENSSL_VERSION_NUMBER);
+	lwsl_err(" HTTP2 / ALPN configured "
+		 "but not supported by OpenSSL 0x%lx\n",
+		 OPENSSL_VERSION_NUMBER);
 #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
 }