diff --git a/daemon/call.c b/daemon/call.c
index 4a8e1bfbc..424b324c9 100644
--- a/daemon/call.c
+++ b/daemon/call.c
@@ -1103,7 +1103,7 @@ int __init_stream(struct packet_stream *ps) {
 		}
 
 		if (!PS_ISSET(ps, FINGERPRINT_VERIFIED) && media->fingerprint.hash_func
-				&& ps->dtls_cert)
+				&& media->fingerprint.digest_len && ps->dtls_cert)
 		{
 			if (dtls_verify_cert(ps))
 				return -1;
@@ -1680,7 +1680,7 @@ static void __fingerprint_changed(struct call_media *m) {
 	GList *l;
 	struct packet_stream *ps;
 
-	if (!m->fingerprint.hash_func)
+	if (!m->fingerprint.hash_func || !m->fingerprint.digest_len)
 		return;
 
 	ilog(LOG_INFO, "DTLS fingerprint changed, restarting DTLS");
@@ -1689,6 +1689,7 @@ static void __fingerprint_changed(struct call_media *m) {
 		ps = l->data;
 		PS_CLEAR(ps, FINGERPRINT_VERIFIED);
 		dtls_shutdown(ps);
+		__init_stream(ps);
 	}
 }
 
diff --git a/daemon/dtls.c b/daemon/dtls.c
index 3dbe1dea4..dd3485464 100644
--- a/daemon/dtls.c
+++ b/daemon/dtls.c
@@ -431,7 +431,7 @@ static int verify_callback(int ok, X509_STORE_CTX *store) {
 		X509_free(ps->dtls_cert);
 	ps->dtls_cert = X509_dup(X509_STORE_CTX_get_current_cert(store));
 
-	if (!media->fingerprint.hash_func)
+	if (!media->fingerprint.hash_func || !media->fingerprint.digest_len)
 		return 1; /* delay verification */
 
 	if (dtls_verify_cert(ps))
diff --git a/daemon/sdp.c b/daemon/sdp.c
index 5fbc068ad..4e48dceba 100644
--- a/daemon/sdp.c
+++ b/daemon/sdp.c
@@ -1537,6 +1537,7 @@ int sdp_streams(const GQueue *sessions, GQueue *streams, struct sdp_ng_flags *fl
 				sp->fingerprint.hash_func = attr->u.fingerprint.hash_func;
 				memcpy(sp->fingerprint.digest, attr->u.fingerprint.fingerprint,
 						sp->fingerprint.hash_func->num_bytes);
+				sp->fingerprint.digest_len = sp->fingerprint.hash_func->num_bytes;
 			}
 
 			// OSRTP (RFC 8643)
diff --git a/include/dtls.h b/include/dtls.h
index 2690f13ca..ebb192362 100644
--- a/include/dtls.h
+++ b/include/dtls.h
@@ -36,6 +36,7 @@ struct dtls_hash_func {
 
 struct dtls_fingerprint {
 	unsigned char digest[DTLS_MAX_DIGEST_LEN];
+	unsigned int digest_len;
 	const struct dtls_hash_func *hash_func;
 };
 
@@ -82,6 +83,7 @@ INLINE void __dtls_hash(const struct dtls_hash_func *hash_func, X509 *cert, unsi
 	unsigned int n;
 
 	assert(bufsize >= hash_func->num_bytes);
+	memset(out, 0, bufsize);
 	n = hash_func->__func(out, cert);
 	assert(n == hash_func->num_bytes);
 	(void) n;
@@ -90,6 +92,7 @@ INLINE void __dtls_hash(const struct dtls_hash_func *hash_func, X509 *cert, unsi
 
 INLINE void dtls_fingerprint_hash(struct dtls_fingerprint *fp, X509 *cert) {
 	__dtls_hash(fp->hash_func, cert, fp->digest, sizeof(fp->digest));
+	fp->digest_len = fp->hash_func->num_bytes;
 }
 
 INLINE int is_dtls(const str *s) {
diff --git a/utils/rtpengine-ng-client b/utils/rtpengine-ng-client
index 603127655..09ce66b7c 100755
--- a/utils/rtpengine-ng-client
+++ b/utils/rtpengine-ng-client
@@ -76,13 +76,14 @@ GetOptions(
 	'OSRTP=s@'			=> \$options{'OSRTP'},
 	'symmetric-codecs'		=> \$options{'symmetric codecs'},
 	'asymmetric-codecs'		=> \$options{'asymmetric codecs'},
+	'DTLS-fingerprint=s'		=> \$options{'DTLS-fingerprint'},
 ) or die;
 
 my $cmd = shift(@ARGV) or die;
 
 my %packet = (command => $cmd);
 
-for my $x (split(/,/, 'from-tag,to-tag,call-id,transport protocol,media address,ICE,address family,DTLS,via-branch,media address,ptime,xmlrpc-callback,metadata,address,file,db-id,code')) {
+for my $x (split(/,/, 'from-tag,to-tag,call-id,transport protocol,media address,ICE,address family,DTLS,via-branch,media address,ptime,xmlrpc-callback,metadata,address,file,db-id,code,DTLS-fingerprint')) {
 	defined($options{$x}) and $packet{$x} = \$options{$x};
 }
 for my $x (split(/,/, 'TOS,delete-delay')) {