diff --git a/src/internal.c b/src/internal.c
index e2fdbcc71..0de6c4053 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -209,15 +209,14 @@ int IsAtLeastTLSv1_3(const ProtocolVersion pv)
 
 static WC_INLINE int IsEncryptionOn(WOLFSSL* ssl, int isSend)
 {
-    (void)isSend;
-
     #ifdef WOLFSSL_DTLS
     /* For DTLS, epoch 0 is always not encrypted. */
     if (ssl->options.dtls && !isSend && ssl->keys.curEpoch == 0)
         return 0;
     #endif /* WOLFSSL_DTLS */
 
-    return ssl->keys.encryptionOn;
+    return ssl->keys.encryptionOn &&
+        (isSend ? ssl->encrypt.setup : ssl->decrypt.setup);
 }
 
 
@@ -29560,7 +29559,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
 
                         if (ssl->arrays->psk_keySz == 0 ||
                                 ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) {
-                            #ifdef WOLFSSL_EXTRA_ALERTS
+                            #if defined(WOLFSSL_EXTRA_ALERTS) || \
+                                defined(WOLFSSL_PSK_IDENTITY_ALERT)
                                 SendAlert(ssl, alert_fatal,
                                         unknown_psk_identity);
                             #endif
@@ -30444,7 +30444,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
 
                         if (ssl->arrays->psk_keySz == 0 ||
                                 ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) {
-                            #ifdef WOLFSSL_EXTRA_ALERTS
+                            #if defined(WOLFSSL_EXTRA_ALERTS) || \
+                                defined(WOLFSSL_PSK_IDENTITY_ALERT)
                                 SendAlert(ssl, alert_fatal,
                                         unknown_psk_identity);
                             #endif