diff --git a/examples/client/client.c b/examples/client/client.c
index 8581a9c89..1d12aa6bf 100644
--- a/examples/client/client.c
+++ b/examples/client/client.c
@@ -616,9 +616,6 @@ static int ClientBenchmarkConnections(WOLFSSL_CTX* ctx, char* host, word16 port,
             do {
                 err = 0; /* reset error */
                 ret = wolfSSL_connect(ssl);
-#ifdef WOLFSSL_EARLY_DATA
-                EarlyDataStatus(ssl);
-#endif
                 if (ret != WOLFSSL_SUCCESS) {
                     err = wolfSSL_get_error(ssl, 0);
                 #ifdef WOLFSSL_ASYNC_CRYPT
@@ -630,6 +627,9 @@ static int ClientBenchmarkConnections(WOLFSSL_CTX* ctx, char* host, word16 port,
                 #endif
                 }
             } while (err == WC_PENDING_E);
+        #ifdef WOLFSSL_EARLY_DATA
+            EarlyDataStatus(ssl);
+        #endif
             if (ret != WOLFSSL_SUCCESS) {
                 err_sys("SSL_connect failed");
             }
diff --git a/examples/server/server.c b/examples/server/server.c
index 324f1b68b..049986b97 100644
--- a/examples/server/server.c
+++ b/examples/server/server.c
@@ -3156,9 +3156,6 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
             do {
                 err = 0; /* reset error */
                 ret = SSL_accept(ssl);
-#ifdef WOLFSSL_EARLY_DATA
-                EarlyDataStatus(ssl);
-#endif
                 if (ret != WOLFSSL_SUCCESS) {
                     err = SSL_get_error(ssl, 0);
                 #ifdef WOLFSSL_ASYNC_CRYPT
@@ -3172,6 +3169,9 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
         }
 #else
         ret = NonBlockingSSL_Accept(ssl);
+#endif
+#ifdef WOLFSSL_EARLY_DATA
+        EarlyDataStatus(ssl);
 #endif
         if (ret != WOLFSSL_SUCCESS) {
             err = SSL_get_error(ssl, 0);
diff --git a/src/tls13.c b/src/tls13.c
index ea98ba57f..9f2dd3056 100644
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -4577,7 +4577,8 @@ static int FindPsk(WOLFSSL* ssl, PreSharedKey* psk, byte* suite, int* err)
  * first       Set to 1 if first in extension
  * returns 0 on success and otherwise failure.
  */
-static int DoPreSharedKeys(WOLFSSL* ssl, byte* suite, int* usingPSK, int* first)
+static int DoPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 inputSz,
+    byte* suite, int* usingPSK, int* first)
 {
     int           ret = 0;
     TLSX*         ext;
@@ -4608,8 +4609,13 @@ static int DoPreSharedKeys(WOLFSSL* ssl, byte* suite, int* usingPSK, int* first)
 
     #ifdef HAVE_SESSION_TICKET
         /* Decode the identity. */
-        if (DoClientTicket(ssl, current->identity, current->identityLen)
-                                                     == WOLFSSL_TICKET_RET_OK) {
+        ret = DoClientTicket(ssl, current->identity, current->identityLen);
+        #ifdef WOLFSSL_ASYNC_CRYPT
+        if (ret == WC_PENDING_E)
+            return ret;
+        #endif
+
+        if (ret == WOLFSSL_TICKET_RET_OK) {
             word32  now;
             sword64 diff;
 
@@ -4678,6 +4684,12 @@ static int DoPreSharedKeys(WOLFSSL* ssl, byte* suite, int* usingPSK, int* first)
             ret = DeriveEarlySecret(ssl);
             if (ret != 0)
                 return ret;
+
+            /* Hash data up to binders for deriving binders in PSK extension. */
+            ret = HashInput(ssl, input, inputSz);
+            if (ret < 0)
+                return ret;
+
             /* Derive the binder key to use with HMAC. */
             ret = DeriveBinderKeyResume(ssl, binderKey);
             if (ret != 0)
@@ -4690,6 +4702,10 @@ static int DoPreSharedKeys(WOLFSSL* ssl, byte* suite, int* usingPSK, int* first)
             if (ret != 0)
                 return ret;
 
+            ret = HashInput(ssl, input, inputSz);
+            if (ret < 0)
+                return ret;
+
             /* Derive the binder key to use with HMAC. */
             ret = DeriveBinderKey(ssl, binderKey);
             if (ret != 0)
@@ -4801,11 +4817,6 @@ static int CheckPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 helloSz,
     if (ret < 0)
         return ret;
 
-    /* Hash data up to binders for deriving binders in PSK extension. */
-    ret = HashInput(ssl, input,  helloSz - bindersLen);
-    if (ret < 0)
-        return ret;
-
     /* Refine list for PSK processing. */
     RefineSuites(ssl, clSuites);
 
@@ -4816,8 +4827,8 @@ static int CheckPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 helloSz,
     if (!ssl->options.useClientOrder) {
         /* Server order - server list has only common suites from refining. */
         for (i = 0; !(*usingPSK) && i < ssl->suites->suiteSz; i += 2) {
-            ret = DoPreSharedKeys(ssl, ssl->suites->suites + i, usingPSK,
-                                                                        &first);
+            ret = DoPreSharedKeys(ssl, input, helloSz - bindersLen,
+                ssl->suites->suites + i, usingPSK, &first);
             if (ret != 0) {
                 return ret;
             }
@@ -4827,15 +4838,16 @@ static int CheckPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 helloSz,
         /* Client order */
         for (j = 0; !(*usingPSK) && j < clSuites->suiteSz; j += 2) {
             for (i = 0; !(*usingPSK) && i < ssl->suites->suiteSz; i += 2) {
-            ret = DoPreSharedKeys(ssl, ssl->suites->suites + i, usingPSK,
-                                                                        &first);
+            ret = DoPreSharedKeys(ssl, input, helloSz - bindersLen,
+                ssl->suites->suites + i, usingPSK, &first);
                 if (ret != 0)
                     return ret;
             }
         }
     }
 #else
-    ret = DoPreSharedKeys(ssl, suite, usingPSK, &first);
+    ret = DoPreSharedKeys(ssl, input, helloSz - bindersLen, suite, usingPSK,
+        &first);
     if (ret != 0)
         return ret;
 #endif