diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
index ad5eb506..4e73bc2c 100644
--- a/ssl/d1_clnt.c
+++ b/ssl/d1_clnt.c
@@ -368,7 +368,6 @@ int dtls1_connect(SSL *ssl) {
         ssl->state = SSL3_ST_CW_FINISHED_A;
         ssl->init_num = 0;
 
-        ssl->session->cipher = ssl->s3->tmp.new_cipher;
         if (!ssl->enc_method->setup_key_block(ssl) ||
             !ssl->enc_method->change_cipher_state(
                 ssl, SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index 3ba9411c..4f2d5ec9 100644
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -393,7 +393,6 @@ int dtls1_accept(SSL *ssl) {
 
       case SSL3_ST_SW_CHANGE_A:
       case SSL3_ST_SW_CHANGE_B:
-        ssl->session->cipher = ssl->s3->tmp.new_cipher;
         if (!ssl->enc_method->setup_key_block(ssl)) {
           ret = -1;
           goto end;
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 5f68037e..0fca13cc 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -388,7 +388,6 @@ int ssl3_connect(SSL *ssl) {
         }
         ssl->init_num = 0;
 
-        ssl->session->cipher = ssl->s3->tmp.new_cipher;
         if (!ssl->enc_method->setup_key_block(ssl) ||
             !ssl->enc_method->change_cipher_state(
                 ssl, SSL3_CHANGE_CIPHER_CLIENT_WRITE)) {
@@ -867,6 +866,8 @@ int ssl3_get_server_hello(SSL *ssl) {
       OPENSSL_PUT_ERROR(SSL, SSL_R_OLD_SESSION_VERSION_NOT_RETURNED);
       goto f_err;
     }
+  } else {
+    ssl->session->cipher = c;
   }
   ssl->s3->tmp.new_cipher = c;
 
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 4c1133c1..e9c9be5f 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -653,7 +653,6 @@ int ssl3_do_change_cipher_spec(SSL *ssl) {
       return 0;
     }
 
-    ssl->session->cipher = ssl->s3->tmp.new_cipher;
     if (!ssl->enc_method->setup_key_block(ssl)) {
       return 0;
     }
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 49a1a95c..489f585a 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -502,7 +502,6 @@ int ssl3_accept(SSL *ssl) {
 
       case SSL3_ST_SW_CHANGE_A:
       case SSL3_ST_SW_CHANGE_B:
-        ssl->session->cipher = ssl->s3->tmp.new_cipher;
         if (!ssl->enc_method->setup_key_block(ssl)) {
           ret = -1;
           goto end;
@@ -1059,6 +1058,7 @@ int ssl3_get_client_hello(SSL *ssl) {
       OPENSSL_PUT_ERROR(SSL, SSL_R_NO_SHARED_CIPHER);
       goto f_err;
     }
+    ssl->session->cipher = c;
     ssl->s3->tmp.new_cipher = c;
 
     /* Determine whether to request a client certificate. */