diff --git a/http.c b/http.c
index 62b49b55..156a8f6c 100644
--- a/http.c
+++ b/http.c
@@ -460,8 +460,7 @@ static void add_common_headers(struct openconnect_info *vpninfo, struct oc_text_
 	}
 }
 
-static int fetch_config(struct openconnect_info *vpninfo, char *bu, char *fu,
-			char *server_sha1)
+static int fetch_config(struct openconnect_info *vpninfo)
 {
 	struct oc_text_buf *buf;
 	char *config_buf = NULL;
@@ -470,6 +469,15 @@ static int fetch_config(struct openconnect_info *vpninfo, char *bu, char *fu,
 	char local_sha1_ascii[(SHA1_SIZE * 2)+1];
 	int i;
 
+	if (!vpninfo->profile_url || !vpninfo->profile_sha1)
+		return -ENOENT;
+
+	if (!strncasecmp(vpninfo->xmlsha1, vpninfo->profile_sha1, SHA1_SIZE * 2)) {
+		vpn_progress(vpninfo, PRG_TRACE,
+			     _("Not downloading XML profile because SHA1 already matches\n"));
+		return 0;
+	}
+
 	if (openconnect_open_https(vpninfo)) {
 		vpn_progress(vpninfo, PRG_ERR,
 			     _("Failed to open HTTPS connection to %s\n"),
@@ -478,7 +486,7 @@ static int fetch_config(struct openconnect_info *vpninfo, char *bu, char *fu,
 	}
 
 	buf = buf_alloc();
-	buf_append(buf, "GET %s%s HTTP/1.1\r\n", bu, fu);
+	buf_append(buf, "GET %s HTTP/1.1\r\n", vpninfo->profile_url);
 	add_common_headers(vpninfo, buf);
 	buf_append(buf, "\r\n");
 
@@ -509,13 +517,15 @@ static int fetch_config(struct openconnect_info *vpninfo, char *bu, char *fu,
 	for (i = 0; i < SHA1_SIZE; i++)
 		sprintf(&local_sha1_ascii[i*2], "%02x", local_sha1_bin[i]);
 
-	if (strcasecmp(server_sha1, local_sha1_ascii)) {
+	if (strcasecmp(vpninfo->profile_sha1, local_sha1_ascii)) {
 		vpn_progress(vpninfo, PRG_ERR,
 			     _("Downloaded config file did not match intended SHA1\n"));
 		free(config_buf);
 		return -EINVAL;
 	}
 
+	vpn_progress(vpninfo, PRG_DEBUG, _("Downloaded new XML profile\n"));
+
 	result = vpninfo->write_new_config(vpninfo->cbdata, config_buf, buflen);
 	free(config_buf);
 	return result;
@@ -1250,20 +1260,20 @@ int openconnect_obtain_cookie(struct openconnect_info *vpninfo)
 					bu = tok + 3;
 				else if (!strncmp(tok, "fu:", 3))
 					fu = tok + 3;
-				else if (!strncmp(tok, "fh:", 3)) {
-					if (!strncasecmp(tok+3, vpninfo->xmlsha1,
-							 SHA1_SIZE * 2))
-						break;
+				else if (!strncmp(tok, "fh:", 3))
 					sha = tok + 3;
-				}
 			} while ((tok = strchr(tok, '&')));
 
-			if (bu && fu && sha)
-				fetch_config(vpninfo, bu, fu, sha);
+			if (bu && fu && sha) {
+				asprintf(&vpninfo->profile_url, "%s%s", bu, fu);
+				vpninfo->profile_sha1 = strdup(sha);
+			}
 		}
 	}
 	result = 0;
 
+	fetch_config(vpninfo);
+
 out:
 	free(form_path);
 	free(form_buf);
diff --git a/library.c b/library.c
index 6ba9eead..902786ce 100644
--- a/library.c
+++ b/library.c
@@ -183,6 +183,8 @@ void openconnect_vpninfo_free(struct openconnect_info *vpninfo)
 	free(vpninfo->csd_preurl);
 	if (vpninfo->opaque_srvdata)
 		xmlFreeNode(vpninfo->opaque_srvdata);
+	free(vpninfo->profile_url);
+	free(vpninfo->profile_sha1);
 
 	/* These are const in openconnect itself, but for consistency of
 	   the library API we do take ownership of the strings we're given,
diff --git a/openconnect-internal.h b/openconnect-internal.h
index c7c13d79..15cfe19b 100644
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -158,6 +158,9 @@ struct openconnect_info {
 	char *csd_scriptname;
 	xmlNode *opaque_srvdata;
 
+	char *profile_url;
+	char *profile_sha1;
+
 #ifdef LIBPROXY_HDR
 	pxProxyFactory *proxy_factory;
 #endif