diff --git a/NEWS b/NEWS
index 14e7ff7d..10b6691b 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,7 @@
 * Version 0.12.3 (unreleased)
 - Prevented crash when no DTLS ciphersuite is negotiated
+- occtl: print the TLS session information, even if the DTLS channel
+  is not established.
 
 
 * Version 0.12.2 (released 2019-01-10)
diff --git a/src/worker-vpn.c b/src/worker-vpn.c
index 2988d2ea..1acecb17 100644
--- a/src/worker-vpn.c
+++ b/src/worker-vpn.c
@@ -226,18 +226,18 @@ static int setup_dtls_psk_keys(gnutls_session_t session, struct worker_st *ws)
 
 	gnutls_psk_set_server_credentials_function(WSCREDS(ws)->pskcred, get_psk_key);
 
-	if (ws->session && WSCONFIG(ws)->match_dtls_and_tls) {
+	if (!ws->session) {
+		oclog(ws, LOG_ERR, "cannot setup PSK keys without an encrypted CSTP channel");
+		return -1;
+	}
+
+	if (WSCONFIG(ws)->match_dtls_and_tls) {
 		cipher = gnutls_cipher_get(ws->session);
 		mac = gnutls_mac_get(ws->session);
 
 		snprintf(prio_string, sizeof(prio_string), "%s:"VERS_STRING":-CIPHER-ALL:-MAC-ALL:-KX-ALL:+PSK:+VERS-DTLS-ALL:+%s:+%s",
 			 WSCONFIG(ws)->priorities, gnutls_mac_get_name(mac), gnutls_cipher_get_name(cipher));
 	} else {
-		if (WSCONFIG(ws)->match_dtls_and_tls) {
-			oclog(ws, LOG_ERR, "cannot determine ciphersuite from CSTP channel (unset match-tls-dtls-ciphers)");
-			return -1;
-		}
-
 		/* if we haven't an associated session, enable all ciphers we would have enabled
 		 * otherwise for TLS. */
 		snprintf(prio_string, sizeof(prio_string), "%s:"VERS_STRING":-KX-ALL:+PSK:+VERS-DTLS-ALL",
@@ -801,6 +801,8 @@ void vpn_server(struct worker_st *ws)
 		oclog(ws, LOG_DEBUG, "Accepted unix connection");
 	}
 
+	ws->session = session;
+
 	session_info_send(ws);
 
 	memset(&settings, 0, sizeof(settings));
@@ -823,7 +825,6 @@ void vpn_server(struct worker_st *ws)
 		oclog(ws, LOG_DEBUG, "proxy-hdr: peer is %s\n", ws->remote_ip_str);
 	}
 
-	ws->session = session;
 	ws->parser = &parser;
 
  restart:
diff --git a/tests/cipher-common.sh b/tests/cipher-common.sh
index ce663684..26ea715c 100755
--- a/tests/cipher-common.sh
+++ b/tests/cipher-common.sh
@@ -137,7 +137,7 @@ if test $? != 0;then
 	exit 1
 fi
 
-grep "Username: ${USERNAME}" ${OUTFILE}
+grep "Username: ${USERNAME}" ${OUTFILE} >/dev/null
 if test $? != 0;then
 	${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
 	echo "occtl show user didn't find connected user!"
@@ -145,14 +145,14 @@ if test $? != 0;then
 fi
 
 if test -z "${GNUTLS_NAME}";then
-	grep "DTLS cipher:" ${OUTFILE}
+	grep "DTLS cipher:" ${OUTFILE} >/dev/null
 	if test $? = 0;then
 		${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
 		echo "occtl show user did show a cipher!"
 		exit 1
 	fi
 else
-	grep "DTLS cipher: ${GNUTLS_NAME}" ${OUTFILE}
+	grep "DTLS cipher: ${GNUTLS_NAME}" ${OUTFILE} >/dev/null
 	if test $? != 0;then
 		${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
 		echo "occtl show user didn't show cipher!"
@@ -160,7 +160,14 @@ else
 	fi
 fi
 
-grep ${CLI_ADDRESS} ${OUTFILE}
+grep -E '[[:space:]]+TLS ciphersuite:' ${OUTFILE} >/dev/null
+if test $? != 0;then
+	${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
+	echo "occtl show user did not show a TLS cipher!"
+	exit 1
+fi
+
+grep ${CLI_ADDRESS} ${OUTFILE} >/dev/null
 if test $? != 0;then
 	${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
 	echo "occtl show user didn't find client address!"