@@ -430,11 +430,11 @@
 /*
  *-------------------------------------------------------------------
  *
  * Session Callback for Clients --
  *
- *	Called when a new session ticket has been received. In TLS 1.3
+ *	Called when a new session is added to the cache. In TLS 1.3
  *	this may be received multiple times after the handshake. For
  *	earlier versions, this will be received during the handshake.
  *
  * Results:
  *	None
@@ -454,12 +454,15 @@
     int code;
     size_t len2;
 
     dprintf("Called");
 
-    if (statePtr->callback == (Tcl_Obj*)NULL)
-	return 0;
+    if (statePtr->callback == (Tcl_Obj*)NULL) {
+	return SSL_TLSEXT_ERR_OK;
+    } else if (ssl == NULL) {
+	return SSL_TLSEXT_ERR_NOACK;
+    }
 
     cmdPtr = Tcl_DuplicateObj(statePtr->callback);
     Tcl_ListObjAppendElement(interp, cmdPtr, Tcl_NewStringObj("session", -1));
 
     /* Session id */
@@ -488,11 +491,12 @@
     }
     Tcl_DecrRefCount(cmdPtr);
 
     Tcl_Release((ClientData) statePtr);
     Tcl_Release((ClientData) interp);
-    return 1;
+    /* If return non-zero, caller will have to do a SSL_SESSION_free() on the structure. */
+    return 0;
 }
 
 /*
  *-------------------------------------------------------------------
  *
@@ -524,12 +528,15 @@
     Tcl_Obj *cmdPtr;
     int code;
 
     dprintf("Called");
 
-    if (statePtr->callback == (Tcl_Obj*)NULL)
+    if (statePtr->callback == (Tcl_Obj*)NULL) {
 	return SSL_TLSEXT_ERR_OK;
+    } else if (ssl == NULL) {
+	return SSL_TLSEXT_ERR_NOACK;
+    }
 
     /* Select protocol */
     SSL_select_next_proto(out, outlen, statePtr->protos, statePtr->protos_len, in, inlen);
 
     cmdPtr = Tcl_DuplicateObj(statePtr->callback);
@@ -658,12 +665,15 @@
     const unsigned char *p;
     size_t len, remaining;
 
     dprintf("Called");
 
-    if (statePtr->callback == (Tcl_Obj*)NULL)
-	return SSL_CLIENT_HELLO_SUCCESS;
+    if (statePtr->callback == (Tcl_Obj*)NULL) {
+	return SSL_TLSEXT_ERR_OK;
+    } else if (ssl == NULL) {
+	return SSL_TLSEXT_ERR_NOACK;
+    }
 
     /* Get names */
     if (!SSL_client_hello_get0_ext(ssl, TLSEXT_TYPE_server_name, &p, &remaining) || remaining <= 2) {
         return SSL_CLIENT_HELLO_ERROR;
     }
@@ -1329,11 +1339,10 @@
      * SSL Callbacks
      */
     SSL_set_app_data(statePtr->ssl, (void *)statePtr);	/* point back to us */
     SSL_set_verify(statePtr->ssl, verify, VerifyCallback);
     SSL_CTX_set_info_callback(statePtr->ctx, InfoCallback);
-    SSL_CTX_sess_set_new_cb(statePtr->ctx, SessionCallback);
 
     /* Create Tcl_Channel BIO Handler */
     statePtr->p_bio	= BIO_new_tcl(statePtr, BIO_NOCLOSE);
     statePtr->bio	= BIO_new(BIO_f_ssl());
 
@@ -1345,10 +1354,14 @@
 	SSL_CTX_set_client_hello_cb(statePtr->ctx, HelloCallback, (void *)statePtr);
 
 	statePtr->flags |= TLS_TCL_SERVER;
 	SSL_set_accept_state(statePtr->ssl);
     } else {
+	/* Session caching */
+	SSL_CTX_set_session_cache_mode(statePtr->ctx, SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL_STORE);
+	SSL_CTX_sess_set_new_cb(statePtr->ctx, SessionCallback);
+
 	SSL_set_connect_state(statePtr->ssl);
     }
     SSL_set_bio(statePtr->ssl, statePtr->p_bio, statePtr->p_bio);
     BIO_set_ssl(statePtr->bio, statePtr->ssl, BIO_NOCLOSE);