diff --git a/src/lib/asiolink/openssl_tls.cc b/src/lib/asiolink/openssl_tls.cc
index 0ee5e8bcc7..407b3a7d36 100644
--- a/src/lib/asiolink/openssl_tls.cc
+++ b/src/lib/asiolink/openssl_tls.cc
@@ -45,6 +45,7 @@ TlsContext::TlsContext(TlsRole role)
 
 boost::asio::ssl::context&
 TlsContext::getContext() {
+    ::SSL_CTX_up_ref(context_.native_handle());
     return (context_);
 }
 
diff --git a/src/lib/asiolink/openssl_tls.h b/src/lib/asiolink/openssl_tls.h
index 9c224afcfa..7171dbe8c0 100644
--- a/src/lib/asiolink/openssl_tls.h
+++ b/src/lib/asiolink/openssl_tls.h
@@ -230,6 +230,58 @@ const int STREAM_TRUNCATED = boost::asio::ssl::error::stream_truncated;
 const int STREAM_TRUNCATED = ERR_PACK(ERR_LIB_SSL, 0, SSL_R_SHORT_READ);
 #endif
 
+/// @brief The type of underlying TLS streams.
+typedef boost::asio::ssl::stream<boost::asio::ip::tcp::socket> TlsStreamImpl;
+
+/// @brief The type of X509 certificates.
+typedef ::X509 TlsCertificate;
+
+/// @brief OpenSSL TLS stream.
+///
+/// @param callback The callback.
+template <typename Callback>
+class TlsStream : public TlsStreamImpl {
+public:
+
+    /// @brief Constructor.
+    ///
+    /// @param service I/O Service object used to manage the stream.
+    /// @param context Pointer to the TLS context.
+    TlsStream(IOService& service, TlsContextPtr context)
+        : TlsStreamImpl(service.get_io_service(), context->getContext()),
+          role_(context->role_) {
+    }
+
+    /// @brief Destructor.
+    virtual ~TlsStream() { }
+
+    /// @brief Handshake.
+    ///
+    virtual void handshake(Callback& callback) {
+        using namespace boost::asio::ssl;
+        if (role_ == SERVER) {
+            async_handshake(stream_base::server, callback);
+        } else {
+            async_handshake(stream_base::client, callback);
+        }
+    }
+
+    /// @brief Clear the SSL object.
+    virtual void clear() {
+        static_cast<void>(::SSL_clear(this->native_handle()));
+    }
+
+    /// @brief Return the peer certificate.
+    ///
+    /// @note The native_handle() method is used so it can't be made const.
+    virtual TlsCertificate* getPeerCert() {
+        return (::SSL_get_peer_certificate(this->native_handle()));
+    }
+
+    /// @brief The role i.e. client or server.
+    TlsRole role_;
+};
+
 } // namespace asiolink
 } // namespace isc