diff --git a/configure.ac b/configure.ac
index 14f176bf3a..1ae38d2ef0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -651,6 +651,7 @@ AC_CHECK_FUNCS([SSL_CTX_set_min_proto_version])
 AC_CHECK_FUNCS([SSL_CTX_up_ref])
 AC_CHECK_FUNCS([SSL_read_ex SSL_peek_ex SSL_write_ex])
 AC_CHECK_FUNCS([SSL_CTX_set1_cert_store X509_STORE_up_ref])
+AC_CHECK_FUNCS([SSL_CTX_up_ref])
 
 #
 # Check for algorithm support in OpenSSL
diff --git a/lib/isc/include/isc/tls.h b/lib/isc/include/isc/tls.h
index fc75157bbe..e05e2c4228 100644
--- a/lib/isc/include/isc/tls.h
+++ b/lib/isc/include/isc/tls.h
@@ -32,6 +32,17 @@ isc_tlsctx_free(isc_tlsctx_t **ctpx);
  *\li	'ctxp' != NULL and '*ctxp' != NULL.
  */
 
+void
+isc_tlsctx_attach(isc_tlsctx_t *src, isc_tlsctx_t **ptarget);
+/*%<
+ * Attach to the TLS context.
+ *
+ * Requires:
+ *\li	'src' != NULL;
+ *\li	'ptarget' != NULL;
+ *\li	'*ptarget' == NULL.
+ */
+
 isc_result_t
 isc_tlsctx_createserver(const char *keyfile, const char *certfile,
 			isc_tlsctx_t **ctxp);
diff --git a/lib/isc/openssl_shim.c b/lib/isc/openssl_shim.c
index 3d6cbeed89..c39ba8c682 100644
--- a/lib/isc/openssl_shim.c
+++ b/lib/isc/openssl_shim.c
@@ -189,3 +189,10 @@ SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store) {
 }
 
 #endif /* !HAVE_SSL_CTX_SET1_CERT_STORE */
+
+#if !HAVE_SSL_CTX_UP_REF
+int
+SSL_CTX_up_ref(SSL_CTX *ctx) {
+	return (CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX) > 0);
+}
+#endif /* !HAVE_SSL_CTX_UP_REF */
diff --git a/lib/isc/openssl_shim.h b/lib/isc/openssl_shim.h
index 0755fbb49d..b2916e20a9 100644
--- a/lib/isc/openssl_shim.h
+++ b/lib/isc/openssl_shim.h
@@ -130,3 +130,8 @@ X509_STORE_up_ref(X509_STORE *v);
 void
 SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store);
 #endif /* !HAVE_SSL_CTX_SET1_CERT_STORE */
+
+#if !HAVE_SSL_CTX_UP_REF
+int
+SSL_CTX_up_ref(SSL_CTX *store);
+#endif /* !HAVE_SSL_CTX_UP_REF */
diff --git a/lib/isc/tls.c b/lib/isc/tls.c
index 19bed66efb..3eb0af155f 100644
--- a/lib/isc/tls.c
+++ b/lib/isc/tls.c
@@ -188,6 +188,16 @@ isc_tlsctx_free(isc_tlsctx_t **ctxp) {
 	SSL_CTX_free(ctx);
 }
 
+void
+isc_tlsctx_attach(isc_tlsctx_t *src, isc_tlsctx_t **ptarget) {
+	REQUIRE(src != NULL);
+	REQUIRE(ptarget != NULL && *ptarget == NULL);
+
+	RUNTIME_CHECK(SSL_CTX_up_ref(src) == 1);
+
+	*ptarget = src;
+}
+
 #if HAVE_SSL_CTX_SET_KEYLOG_CALLBACK
 /*
  * Callback invoked by the SSL library whenever a new TLS pre-master secret