diff --git a/src/node/channels.h b/src/node/channels.h
index 0b33226c0519..c2163eb56528 100644
--- a/src/node/channels.h
+++ b/src/node/channels.h
@@ -406,7 +406,10 @@ namespace ccf
       {
         // Whatever else we _were_ doing, we've received a valid init from them
         // - reset to use it
-        kex_ctx.reset();
+        if (status.check(ESTABLISHED))
+        {
+          kex_ctx.reset();
+        }
         peer_cert = cert;
         peer_cv = verifier;
       }
diff --git a/src/tls/key_exchange.h b/src/tls/key_exchange.h
index 62866ae355dc..5cc4d8c572bd 100644
--- a/src/tls/key_exchange.h
+++ b/src/tls/key_exchange.h
@@ -158,23 +158,28 @@ namespace tls
         throw std::runtime_error("Missing peer key share");
       }
 
-      int rc = mbedtls_ecdh_read_public(ctx.get(), ks.p, ks.n);
-      if (rc != 0)
-      {
-        throw std::logic_error(error_string(rc));
-      }
-
       peer_key_share = {ks.p, ks.p + ks.n};
     }
 
     std::vector<uint8_t> compute_shared_secret()
     {
+      int rc;
+      if (peer_key_share.size() > 0)
+      {
+        rc = mbedtls_ecdh_read_public(
+          ctx.get(), peer_key_share.data(), peer_key_share.size());
+        if (rc != 0)
+        {
+          throw std::logic_error(error_string(rc));
+        }
+      }
+
       crypto::EntropyPtr entropy = crypto::create_entropy();
 
       // Should only be called once, when peer public has been loaded.
       std::vector<uint8_t> shared_secret(len_shared_secret);
       size_t len;
-      int rc = mbedtls_ecdh_calc_secret(
+      rc = mbedtls_ecdh_calc_secret(
         ctx.get(),
         &len,
         shared_secret.data(),