diff --git a/tests/openssl.cnf.in b/tests/openssl.cnf.in
index 698584b5..7bf59146 100644
--- a/tests/openssl.cnf.in
+++ b/tests/openssl.cnf.in
@@ -28,6 +28,7 @@ pkcs11-module-token-pin = file:@PINFILE@
 #pkcs11-module-allow-export
 #pkcs11-module-load-behavior
 #pkcs11-module-block-operations
+#pkcs11-module-cache-keys
 activate = 1
 
 ####################################################################
diff --git a/tests/ttls b/tests/ttls
index 85185a7f..415f68c0 100755
--- a/tests/ttls
+++ b/tests/ttls
@@ -65,11 +65,13 @@ run_test() {
                 send \" NO EOF \n\";
                 exit 1;
             };
-        }" > "${TMPPDIR}/s_server_output" &
+        }" &> "${TMPPDIR}/s_server_output" &
     SERVER_PID=$!
 
     read -r < "${TMPPDIR}/s_server_ready"
 
+    # The point is to force the server to use the pkcs11-provider for all operations, not the client now
+    OPENSSL_CONF="${ORIG_OPENSSL_CONF}" \
     expect -c "spawn $CHECKER openssl s_client -connect \"localhost:${PORT}\" -CAfile \"${CACRT}\" $CLNT_ARGS;
         set timeout 60;
         expect {
@@ -90,36 +92,49 @@ run_test() {
     wait_for_server_at_exit $SERVER_PID
 }
 
-title PARA "Run sanity test with default values (RSA)"
-run_test "$PRIURI" "$CRTURI"
+run_tests() {
 
-title PARA "Run sanity test with default values (ECDSA)"
-run_test "$ECPRIURI" "$ECCRTURI"
+    title PARA "Run sanity test with default values (RSA)"
+    run_test "$PRIURI" "$CRTURI"
 
-title PARA "Run test with TLS 1.2"
-run_test "$PRIURI" "$CRTURI" "" "-tls1_2"
+    title PARA "Run sanity test with default values (ECDSA)"
+    run_test "$ECPRIURI" "$ECCRTURI"
 
-title PARA "Run test with explicit TLS 1.3"
-run_test "$PRIURI" "$CRTURI" "" "-tls1_3"
+    title PARA "Run test with TLS 1.2"
+    run_test "$PRIURI" "$CRTURI" "" "-tls1_2"
 
-title PARA "Run test with TLS 1.2 (ECDSA)"
-run_test "$ECPRIURI" "$ECCRTURI" "" "-tls1_2"
+    title PARA "Run test with explicit TLS 1.3"
+    run_test "$PRIURI" "$CRTURI" "" "-tls1_3"
 
-title PARA "Run test with TLS 1.2 and ECDH"
-run_test "$ECPRIURI" "$ECCRTURI" "" "-tls1_2 -cipher ECDHE-ECDSA-AES128-GCM-SHA256 -groups secp256r1"
+    title PARA "Run test with TLS 1.2 (ECDSA)"
+    run_test "$ECPRIURI" "$ECCRTURI" "-tls1_2" "-tls1_2"
 
+    title PARA "Run test with TLS 1.2 and ECDH"
+    run_test "$ECPRIURI" "$ECCRTURI" "" "-tls1_2 -cipher ECDHE-ECDSA-AES128-GCM-SHA256 -groups secp256r1"
+
+    title PARA "Run test with TLS 1.3"
+    run_test "$ECPRIURI" "$ECCRTURI" "" "-tls1_3 -ciphersuites TLS_AES_256_GCM_SHA384 -groups secp256r1"
+}
+
+title SECTION "TLS with key in provider"
+# needed to restore the openssl conf for the client
+ORIG_OPENSSL_CONF=${OPENSSL_CONF}
+run_tests
+title ENDSECTION
+
+title SECTION "Forcing the provider for all server operations"
 #Try again forcing all operations on the token
 #We need to disable digest operations as OpenSSL depends on context duplication working
 ORIG_OPENSSL_CONF=${OPENSSL_CONF}
-sed -e "s/#MORECONF/alg_section = algorithm_sec\n\n[algorithm_sec]\ndefault_properties = ?provider=pkcs11/" \
-    -e "s/#pkcs11-module-block-operations/pkcs11-module-block-operations = digest/" \
+sed -e "s/^#MORECONF/alg_section = algorithm_sec\n\n[algorithm_sec]\ndefault_properties = ?provider=pkcs11/" \
+    -e "s/^#pkcs11-module-block-operations/pkcs11-module-block-operations = digest/" \
+    -e "s/^#pkcs11-module-cache-keys.*$/pkcs11-module-cache-keys = false/" \
     "${OPENSSL_CONF}" > "${OPENSSL_CONF}.forcetoken"
 OPENSSL_CONF=${OPENSSL_CONF}.forcetoken
 
-title PARA "Run test with TLS 1.3 preferring token functions"
-run_test "$ECPRIURI" "$ECCRTURI" "" "-tls1_3"
+run_tests
 
 OPENSSL_CONF=${ORIG_OPENSSL_CONF}
-
+title ENDSECTION
 
 exit 0;