diff --git a/doc/ssl/SSL_CTX_new.pod b/doc/ssl/SSL_CTX_new.pod
index 53f621685e..259098657f 100644
--- a/doc/ssl/SSL_CTX_new.pod
+++ b/doc/ssl/SSL_CTX_new.pod
@@ -2,9 +2,9 @@
 
 =head1 NAME
 
-SSL_CTX_new, SSLv3_method, SSLv3_server_method, SSLv3_client_method,
-TLSv1_method, TLSv1_server_method, TLSv1_client_method, TLSv1_1_method,
-TLSv1_1_server_method, TLSv1_1_client_method, TLS_method,
+SSL_CTX_new, SSL_CTX_up_ref, SSLv3_method, SSLv3_server_method,
+SSLv3_client_method, TLSv1_method, TLSv1_server_method, TLSv1_client_method,
+TLSv1_1_method, TLSv1_1_server_method, TLSv1_1_client_method, TLS_method,
 TLS_server_method, TLS_client_method, SSLv23_method, SSLv23_server_method,
 SSLv23_client_method, DTLS_method, DTLS_server_method, DTLS_client_method,
 DTLSv1_method, DTLSv1_server_method, DTLSv1_client_method,
@@ -17,6 +17,7 @@ functions
  #include <openssl/ssl.h>
 
  SSL_CTX *SSL_CTX_new(const SSL_METHOD *method);
+ void SSL_CTX_up_ref(SSL_CTX *ctx);
 
  const SSL_METHOD *TLS_method(void);
  const SSL_METHOD *TLS_server_method(void);
@@ -59,7 +60,12 @@ functions
 =head1 DESCRIPTION
 
 SSL_CTX_new() creates a new B<SSL_CTX> object as framework to
-establish TLS/SSL or DTLS enabled connections.
+establish TLS/SSL or DTLS enabled connections. An B<SSL_CTX> object is
+reference counted. Creating an B<SSL_CTX> object for the first time increments
+the reference count. Freeing it (using SSL_CTX_free) decrements it. When the
+reference count drops to zero, any memory or resources allocated to the
+B<SSL_CTX> object are freed. SSL_CTX_up_ref() increments the reference count for
+an existing B<SSL_CTX> structure.
 
 =head1 NOTES
 
diff --git a/doc/ssl/SSL_new.pod b/doc/ssl/SSL_new.pod
index 4c350c507f..f0e07951e3 100644
--- a/doc/ssl/SSL_new.pod
+++ b/doc/ssl/SSL_new.pod
@@ -2,20 +2,26 @@
 
 =head1 NAME
 
-SSL_new - create a new SSL structure for a connection
+SSL_new, SSL_up_ref - create a new SSL structure for a connection
 
 =head1 SYNOPSIS
 
  #include <openssl/ssl.h>
 
  SSL *SSL_new(SSL_CTX *ctx);
+ void SSL_up_ref(SSL *s);
 
 =head1 DESCRIPTION
 
 SSL_new() creates a new B<SSL> structure which is needed to hold the
 data for a TLS/SSL connection. The new structure inherits the settings
 of the underlying context B<ctx>: connection method,
-options, verification settings, timeout settings.
+options, verification settings, timeout settings. An B<SSL> structure is
+reference counted. Creating an B<SSL> structure for the first time increments
+the reference count. Freeing it (using SSL_free) decrements it. When the
+reference count drops to zero, any memory or resources allocated to the B<SSL>
+structure are freed. SSL_up_ref() increments the reference count for an
+existing B<SSL> structure.
 
 =head1 RETURN VALUES
 
diff --git a/doc/ssl/ssl.pod b/doc/ssl/ssl.pod
index 33133ff78f..597b88e5f7 100644
--- a/doc/ssl/ssl.pod
+++ b/doc/ssl/ssl.pod
@@ -234,6 +234,8 @@ protocol context defined in the B<SSL_CTX> structure.
 
 =item SSL_CTX *B<SSL_CTX_new>(const SSL_METHOD *meth);
 
+=item void SSL_CTX_up_ref(SSL_CTX *ctx);
+
 =item int B<SSL_CTX_remove_session>(SSL_CTX *ctx, SSL_SESSION *c);
 
 =item int B<SSL_CTX_sess_accept>(SSL_CTX *ctx);
@@ -562,6 +564,8 @@ fresh handle for each connection.
 
 =item SSL *B<SSL_new>(SSL_CTX *ctx);
 
+=item void SSL_up_ref(SSL *s);
+
 =item long B<SSL_num_renegotiations>(SSL *ssl);
 
 =item int B<SSL_peek>(SSL *ssl, void *buf, int num);
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index d26b4af1a7..0d36e17a6c 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1371,6 +1371,7 @@ void BIO_ssl_shutdown(BIO *ssl_bio);
 
 __owur int SSL_CTX_set_cipher_list(SSL_CTX *, const char *str);
 __owur SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);
+void SSL_CTX_up_ref(SSL_CTX *ctx);
 void SSL_CTX_free(SSL_CTX *);
 __owur long SSL_CTX_set_timeout(SSL_CTX *ctx, long t);
 __owur long SSL_CTX_get_timeout(const SSL_CTX *ctx);
@@ -1530,6 +1531,7 @@ __owur int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid
                                    unsigned int sid_ctx_len);
 
 SSL *SSL_new(SSL_CTX *ctx);
+void SSL_up_ref(SSL *s);
 __owur int SSL_set_session_id_context(SSL *ssl, const unsigned char *sid_ctx,
                                unsigned int sid_ctx_len);
 
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 7c99e8d7d4..d29da6dfbf 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -745,6 +745,11 @@ SSL *SSL_new(SSL_CTX *ctx)
     return (NULL);
 }
 
+void SSL_up_ref(SSL *s)
+{
+    CRYPTO_add(&s->references, 1, CRYPTO_LOCK_SSL);
+}
+
 int SSL_CTX_set_session_id_context(SSL_CTX *ctx, const unsigned char *sid_ctx,
                                    unsigned int sid_ctx_len)
 {
@@ -2348,6 +2353,11 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
     return (NULL);
 }
 
+void SSL_CTX_up_ref(SSL_CTX *ctx)
+{
+    CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
+}
+
 void SSL_CTX_free(SSL_CTX *a)
 {
     int i;
diff --git a/util/ssleay.num b/util/ssleay.num
index 103d95f537..89797c5a3d 100755
--- a/util/ssleay.num
+++ b/util/ssleay.num
@@ -433,3 +433,5 @@ SSL_CTX_get_options                     467	1_1_0	EXIST::FUNCTION:
 SSL_clear_options                       468	1_1_0	EXIST::FUNCTION:
 SSL_set_options                         469	1_1_0	EXIST::FUNCTION:
 SSL_get_options                         470	1_1_0	EXIST::FUNCTION:
+SSL_up_ref                              471	1_1_0	EXIST::FUNCTION:
+SSL_CTX_up_ref                          472	1_1_0	EXIST::FUNCTION: