diff --git a/lib/service.c b/lib/service.c
index 08177a91..1a41e834 100644
--- a/lib/service.c
+++ b/lib/service.c
@@ -1047,37 +1047,37 @@ lws_service_fd_tsi(struct lws_context *context, struct lws_pollfd *pollfd, int t
 	}
 
 #ifdef LWS_OPENSSL_SUPPORT
-	if ((wsi->state == LWSS_SHUTDOWN) && lws_is_ssl(wsi) && wsi->ssl)
-	{
+	if ((wsi->state == LWSS_SHUTDOWN) && lws_is_ssl(wsi) && wsi->ssl) {
 		n = SSL_shutdown(wsi->ssl);
 		lwsl_debug("SSL_shutdown=%d for fd %d\n", n, wsi->desc.sockfd);
-		if (n == 1)
-		{
+		switch (n) {
+		case 1:
 			n = shutdown(wsi->desc.sockfd, SHUT_WR);
 			goto close_and_handled;
-		}
-		else if (n == 0)
-		{
-			lws_change_pollfd(wsi, LWS_POLLOUT, LWS_POLLIN);
+
+		case 0:
+			lws_change_pollfd(wsi, 0, LWS_POLLIN);
 			n = 0;
 			goto handled;
-		}
-		else /* n < 0 */
-		{
-			int shutdown_error = SSL_get_error(wsi->ssl, n);
-			lwsl_debug("SSL_shutdown ret %d, SSL_get_error: %d\n",
-				   n, shutdown_error);
-			if (shutdown_error == SSL_ERROR_WANT_READ) {
-				lws_change_pollfd(wsi, LWS_POLLOUT, LWS_POLLIN);
-				n = 0;
-				goto handled;
-			} else if (shutdown_error == SSL_ERROR_WANT_WRITE) {
-				lws_change_pollfd(wsi, LWS_POLLOUT, LWS_POLLOUT);
-				n = 0;
-				goto handled;
+
+		default:
+			n = SSL_get_error(wsi->ssl, n);
+			if (n != SSL_ERROR_SYSCALL) {
+				if (SSL_want_read(wsi->ssl)) {
+					lwsl_debug("(wants read)\n");
+					lws_change_pollfd(wsi, 0, LWS_POLLIN);
+					n = 0;
+					goto handled;
+				}
+				if (SSL_want_write(wsi->ssl)) {
+					lwsl_debug("(wants write)\n");
+					lws_change_pollfd(wsi, 0, LWS_POLLOUT);
+					n = 0;
+					goto handled;
+				}
 			}
 
-			// actual error occurred, just close the connection
+			/* actual error occurred, just close the connection */
 			n = shutdown(wsi->desc.sockfd, SHUT_WR);
 			goto close_and_handled;
 		}
diff --git a/lib/ssl.c b/lib/ssl.c
index 0ed64a3f..04921a0b 100644
--- a/lib/ssl.c
+++ b/lib/ssl.c
@@ -197,10 +197,15 @@ int openssl_websocket_private_data_index,
 
 int lws_ssl_get_error(struct lws *wsi, int n)
 {
+	int m;
+
 	if (!wsi->ssl)
 		return 99;
-	lwsl_debug("%s: %p %d\n", __func__, wsi->ssl, n);
-	return SSL_get_error(wsi->ssl, n);
+
+	m = SSL_get_error(wsi->ssl, n);
+	lwsl_debug("%s: %p %d -> %d\n", __func__, wsi->ssl, n, m);
+
+	return m;
 }
 
 /* Copies a string describing the code returned by lws_ssl_get_error(),
@@ -463,20 +468,17 @@ lws_ssl_capable_read(struct lws *wsi, unsigned char *buf, int len)
 	}
 
 	if (n < 0) {
-		n = lws_ssl_get_error(wsi, n);
-		// lwsl_notice("get_ssl_err result %d\n", n);
-		if (n ==  SSL_ERROR_WANT_READ || SSL_want_read(wsi->ssl)) {
+		if (SSL_want_read(wsi->ssl)) {
 			lwsl_debug("%s: WANT_READ\n", __func__);
 			lwsl_debug("%p: LWS_SSL_CAPABLE_MORE_SERVICE\n", wsi);
 			return LWS_SSL_CAPABLE_MORE_SERVICE;
 		}
-		if (n ==  SSL_ERROR_WANT_WRITE || SSL_want_write(wsi->ssl)) {
+		if (SSL_want_write(wsi->ssl)) {
 			lwsl_debug("%s: WANT_WRITE\n", __func__);
 			lwsl_debug("%p: LWS_SSL_CAPABLE_MORE_SERVICE\n", wsi);
 			return LWS_SSL_CAPABLE_MORE_SERVICE;
 		}
 
-
 		lwsl_info("%s failed2: %s\n",__func__,
 				 ERR_error_string(lws_ssl_get_error(wsi, 0), NULL));
 			lws_ssl_elaborate_error();