diff --git a/src/shrpx_connection.cc b/src/shrpx_connection.cc
index a2a3b91a..a511eb7f 100644
--- a/src/shrpx_connection.cc
+++ b/src/shrpx_connection.cc
@@ -303,12 +303,20 @@ int Connection::tls_handshake() {
   }
   tls.rb->write(nread);
 
+  // We have limited space for read buffer, so stop reading if it
+  // filled up.
+  if (tls.rb->wleft() == 0) {
+    rlimit.stopw();
+    ev_timer_stop(loop, &rt);
+  }
+
   switch (tls.handshake_state) {
   case TLS_CONN_WAIT_FOR_SESSION_CACHE:
-    if (tls.rb->wleft() == 0) {
-      // Input buffer is full.  Disable read until cache is returned
-      rlimit.stopw();
-      ev_timer_stop(loop, &rt);
+    if (nread > 0) {
+      if (LOG_ENABLED(INFO)) {
+        LOG(INFO) << "tls: client sent addtional data after client hello";
+      }
+      return -1;
     }
     return SHRPX_ERR_INPROGRESS;
   case TLS_CONN_GOT_SESSION_CACHE: {
@@ -317,12 +325,16 @@ int Connection::tls_handshake() {
     tls.rb->pos = tls.rb->begin();
 
     auto ssl_ctx = SSL_get_SSL_CTX(tls.ssl);
+    auto ssl_opts = SSL_get_options(tls.ssl);
     SSL_free(tls.ssl);
 
-    auto ssl = ssl::create_server_ssl(ssl_ctx, nullptr);
+    auto ssl = ssl::create_ssl(ssl_ctx);
     if (!ssl) {
       return -1;
     }
+    if (ssl_opts & SSL_OP_NO_TICKET) {
+      SSL_set_options(ssl, SSL_OP_NO_TICKET);
+    }
 
     set_ssl(ssl);
 
@@ -360,6 +372,8 @@ int Connection::tls_handshake() {
   }
 
   if (tls.wb->rleft()) {
+    // First write indicates that resumption stuff has done.
+    tls.handshake_state = TLS_CONN_WRITE_STARTED;
     auto nwrite = write_clear(tls.wb->pos, tls.wb->rleft());
     if (nwrite < 0) {
       if (LOG_ENABLED(INFO)) {
@@ -373,6 +387,16 @@ int Connection::tls_handshake() {
   if (tls.wb->rleft()) {
     wlimit.startw();
     ev_timer_again(loop, &wt);
+  } else {
+    tls.wb->reset();
+  }
+
+  if (tls.handshake_state == TLS_CONN_WRITE_STARTED && tls.rb->rleft() == 0) {
+    tls.rb->reset();
+
+    // We may have stopped reading
+    rlimit.startw();
+    ev_timer_again(loop, &rt);
   }
 
   if (rv != 1) {
diff --git a/src/shrpx_connection.h b/src/shrpx_connection.h
index f9e18fd2..2f4105ab 100644
--- a/src/shrpx_connection.h
+++ b/src/shrpx_connection.h
@@ -46,6 +46,7 @@ enum {
   TLS_CONN_WAIT_FOR_SESSION_CACHE,
   TLS_CONN_GOT_SESSION_CACHE,
   TLS_CONN_CANCEL_SESSION_CACHE,
+  TLS_CONN_WRITE_STARTED,
 };
 
 struct TLSConnection {
diff --git a/src/shrpx_http2_session.cc b/src/shrpx_http2_session.cc
index 79628543..59ad9327 100644
--- a/src/shrpx_http2_session.cc
+++ b/src/shrpx_http2_session.cc
@@ -323,7 +323,7 @@ int Http2Session::initiate_connection() {
       // We are establishing TLS connection.  If conn_.tls.ssl, we may
       // reuse the previous session.
       if (!conn_.tls.ssl) {
-        auto ssl = ssl::create_client_ssl(ssl_ctx_);
+        auto ssl = ssl::create_ssl(ssl_ctx_);
         if (!ssl) {
           return -1;
         }
diff --git a/src/shrpx_ssl.cc b/src/shrpx_ssl.cc
index f95c0ad6..ef969077 100644
--- a/src/shrpx_ssl.cc
+++ b/src/shrpx_ssl.cc
@@ -695,7 +695,6 @@ SSL_CTX *create_ssl_client_context() {
   return ssl_ctx;
 }
 
-namespace {
 SSL *create_ssl(SSL_CTX *ssl_ctx) {
   auto ssl = SSL_new(ssl_ctx);
   if (!ssl) {
@@ -706,23 +705,6 @@ SSL *create_ssl(SSL_CTX *ssl_ctx) {
 
   return ssl;
 }
-} // namespace
-
-SSL *create_server_ssl(SSL_CTX *ssl_ctx, Worker *worker) {
-  auto ssl = create_ssl(ssl_ctx);
-  if (!ssl) {
-    return nullptr;
-  }
-
-  // Disable TLS session ticket if we don't have working ticket keys.
-  if (worker && !worker->get_ticket_keys()) {
-    SSL_set_options(ssl, SSL_OP_NO_TICKET);
-  }
-
-  return ssl;
-}
-
-SSL *create_client_ssl(SSL_CTX *ssl_ctx) { return create_ssl(ssl_ctx); }
 
 ClientHandler *accept_connection(Worker *worker, int fd, sockaddr *addr,
                                  int addrlen) {
@@ -746,10 +728,15 @@ ClientHandler *accept_connection(Worker *worker, int fd, sockaddr *addr,
   SSL *ssl = nullptr;
   auto ssl_ctx = worker->get_sv_ssl_ctx();
   if (ssl_ctx) {
-    ssl = create_server_ssl(ssl_ctx, worker);
+    ssl = create_ssl(ssl_ctx);
     if (!ssl) {
       return nullptr;
     }
+    // Disable TLS session ticket if we don't have working ticket
+    // keys.
+    if (!worker->get_ticket_keys()) {
+      SSL_set_options(ssl, SSL_OP_NO_TICKET);
+    }
   }
 
   return new ClientHandler(worker, fd, ssl, host, service);
diff --git a/src/shrpx_ssl.h b/src/shrpx_ssl.h
index 27565cd5..7fdbbd67 100644
--- a/src/shrpx_ssl.h
+++ b/src/shrpx_ssl.h
@@ -172,8 +172,7 @@ SSL_CTX *setup_client_ssl_context();
 // this function returns nullptr.
 CertLookupTree *create_cert_lookup_tree();
 
-SSL *create_server_ssl(SSL_CTX *ssl_ctx, Worker *worker);
-SSL *create_client_ssl(SSL_CTX *ssl_ctx);
+SSL *create_ssl(SSL_CTX *ssl_ctx);
 
 } // namespace ssl