diff --git a/lib/http2/ssl-http2.c b/lib/http2/ssl-http2.c
index 05d69536..f80b95e5 100644
--- a/lib/http2/ssl-http2.c
+++ b/lib/http2/ssl-http2.c
@@ -103,6 +103,9 @@ int lws_h2_configure_if_upgraded(struct lws *wsi)
 	char cstr[10];
 	unsigned len;
 
+	if (!wsi->ssl)
+		return 0;
+
 	SSL_get0_alpn_selected(wsi->ssl, &name, &len);
 	if (!len) {
 		lwsl_info("no ALPN upgrade\n");
diff --git a/lib/server/ssl-server.c b/lib/server/ssl-server.c
index 3e6ed96b..30e4a173 100644
--- a/lib/server/ssl-server.c
+++ b/lib/server/ssl-server.c
@@ -207,6 +207,11 @@ lws_server_socket_service_ssl(struct lws *wsi, lws_sockfd_type accept_fd)
 				wsi->use_ssl = 0;
 
 				lws_tls_server_abort_connection(wsi);
+				/*
+				 * care... this creates wsi with no ssl
+				 * when ssl is enabled and normally
+				 * mandatory
+				 */
 				wsi->ssl = NULL;
 				if (lws_check_opt(context->options,
 				    LWS_SERVER_OPTION_REDIRECT_HTTP_TO_HTTPS))
@@ -280,7 +285,7 @@ accepted:
 		/* adapt our vhost to match the SNI SSL_CTX that was chosen */
 		vh = context->vhost_list;
 		while (vh) {
-			if (!vh->being_destroyed &&
+			if (!vh->being_destroyed && wsi->ssl &&
 			    vh->ssl_ctx == lws_tls_ctx_from_wsi(wsi)) {
 				lwsl_info("setting wsi to vh %s\n", vh->name);
 				wsi->vhost = vh;
diff --git a/lib/tls/mbedtls/ssl.c b/lib/tls/mbedtls/ssl.c
index 10c03884..55325448 100644
--- a/lib/tls/mbedtls/ssl.c
+++ b/lib/tls/mbedtls/ssl.c
@@ -295,6 +295,9 @@ lws_ssl_context_destroy(struct lws_context *context)
 lws_tls_ctx *
 lws_tls_ctx_from_wsi(struct lws *wsi)
 {
+	if (!wsi->ssl)
+		return NULL;
+
 	return SSL_get_SSL_CTX(wsi->ssl);
 }
 
diff --git a/lib/tls/openssl/ssl.c b/lib/tls/openssl/ssl.c
index faef7e7e..a6c47984 100644
--- a/lib/tls/openssl/ssl.c
+++ b/lib/tls/openssl/ssl.c
@@ -456,6 +456,9 @@ lws_ssl_context_destroy(struct lws_context *context)
 lws_tls_ctx *
 lws_tls_ctx_from_wsi(struct lws *wsi)
 {
+	if (!wsi->ssl)
+		return NULL;
+
 	return SSL_get_SSL_CTX(wsi->ssl);
 }