diff --git a/src/internal.c b/src/internal.c
index 7b28e0037..088161390 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -18124,7 +18124,7 @@ int ProcessReplyEx(WOLFSSL* ssl, int allowSocketErr)
         if(IsAtLeastTLSv1_3(ssl->version)) {
 #ifdef WOLFSSL_DTLS13
             ret = Dtls13ProcessBufferedMessages(ssl);
-#elif
+#else
             ret = NOT_COMPILED_IN;
 #endif /* WOLFSSL_DTLS13 */
         }
@@ -23272,7 +23272,6 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
             haveStaticECC = 1;
             haveStaticRSA = 1;
             haveRSAsig = 1;
-            haveECDSAsig = 1;
             havePSK = 1;
             haveNull = 0;
 
@@ -23296,7 +23295,6 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
             haveStaticECC = 0;
             haveStaticRSA = 0;
             haveRSAsig = 1;
-            haveECDSAsig = 1;
             havePSK = 1;
             haveNull = 0;
 
diff --git a/src/pk.c b/src/pk.c
index 747f14ece..018f0f2ef 100644
--- a/src/pk.c
+++ b/src/pk.c
@@ -2637,7 +2637,7 @@ int wolfSSL_RSA_set_ex_data_with_cleanup(WOLFSSL_RSA *rsa, int idx, void *data,
 {
     WOLFSSL_ENTER("wolfSSL_RSA_set_ex_data_with_cleanup");
 
-    return (rsa == NULL) ? NULL :
+    return (rsa == NULL) ? 0 :
         wolfSSL_CRYPTO_set_ex_data_with_cleanup(&rsa->ex_data, idx, data,
             freeCb);
 }
diff --git a/src/ssl.c b/src/ssl.c
index 1145f51e2..4d5e548f0 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -11853,7 +11853,8 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
         #endif
 
 #ifdef WOLFSSL_WOLFSENTRY_HOOKS
-        if (ssl->ConnectFilter) {
+        if ((ssl->ConnectFilter != NULL) &&
+            (ssl->options.connectState == CONNECT_BEGIN)) {
             wolfSSL_netfilter_decision_t res;
             if ((ssl->ConnectFilter(ssl, ssl->ConnectFilter_arg, &res) ==
                  WOLFSSL_SUCCESS) &&
@@ -12324,7 +12325,13 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
         WOLFSSL_ENTER("SSL_accept()");
 
 #ifdef WOLFSSL_WOLFSENTRY_HOOKS
-        if (ssl->AcceptFilter) {
+        if ((ssl->AcceptFilter != NULL) &&
+            ((ssl->options.acceptState == ACCEPT_BEGIN)
+#ifdef HAVE_SECURE_RENEGOTIATION
+             || (ssl->options.acceptState == ACCEPT_BEGIN_RENEG)
+#endif
+                ))
+        {
             wolfSSL_netfilter_decision_t res;
             if ((ssl->AcceptFilter(ssl, ssl->AcceptFilter_arg, &res) ==
                  WOLFSSL_SUCCESS) &&
diff --git a/src/tls13.c b/src/tls13.c
index 4c6592835..0632b0103 100644
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -9746,7 +9746,9 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl)
     }
 
 #ifdef WOLFSSL_WOLFSENTRY_HOOKS
-    if (ssl->ConnectFilter) {
+    if ((ssl->ConnectFilter != NULL) &&
+        (ssl->options.connectState == CONNECT_BEGIN))
+    {
         wolfSSL_netfilter_decision_t res;
         if ((ssl->ConnectFilter(ssl, ssl->ConnectFilter_arg, &res) ==
              WOLFSSL_SUCCESS) &&
@@ -10781,7 +10783,13 @@ int wolfSSL_accept_TLSv13(WOLFSSL* ssl)
     }
 
 #ifdef WOLFSSL_WOLFSENTRY_HOOKS
-    if (ssl->AcceptFilter) {
+    if ((ssl->AcceptFilter != NULL) &&
+            ((ssl->options.acceptState == TLS13_ACCEPT_BEGIN)
+#ifdef HAVE_SECURE_RENEGOTIATION
+             || (ssl->options.acceptState == TLS13_ACCEPT_BEGIN_RENEG)
+#endif
+                ))
+    {
         wolfSSL_netfilter_decision_t res;
         if ((ssl->AcceptFilter(ssl, ssl->AcceptFilter_arg, &res) ==
              WOLFSSL_SUCCESS) &&