diff --git a/src/lib/tls/tortls.c b/src/lib/tls/tortls.c
index 4b35177df9..395f0148e2 100644
--- a/src/lib/tls/tortls.c
+++ b/src/lib/tls/tortls.c
@@ -35,6 +35,25 @@ tor_tls_context_incref(tor_tls_context_t *ctx)
   ++ctx->refcnt;
 }
 
+/** Remove a reference to <b>ctx</b>, and free it if it has no more
+ * references. */
+void
+tor_tls_context_decref(tor_tls_context_t *ctx)
+{
+  tor_assert(ctx);
+  if (--ctx->refcnt == 0) {
+    tor_tls_context_impl_free(ctx->ctx);
+    tor_x509_cert_free(ctx->my_link_cert);
+    tor_x509_cert_free(ctx->my_id_cert);
+    tor_x509_cert_free(ctx->my_auth_cert);
+    crypto_pk_free(ctx->link_key);
+    crypto_pk_free(ctx->auth_key);
+    /* LCOV_EXCL_BR_START since ctx will never be NULL here */
+    tor_free(ctx);
+    /* LCOV_EXCL_BR_STOP */
+  }
+}
+
 /** Free all global TLS structures. */
 void
 tor_tls_free_all(void)
diff --git a/src/lib/tls/tortls_internal.h b/src/lib/tls/tortls_internal.h
index c58379e19b..b997ee3e4a 100644
--- a/src/lib/tls/tortls_internal.h
+++ b/src/lib/tls/tortls_internal.h
@@ -28,6 +28,13 @@ int tor_tls_context_init_one(tor_tls_context_t **ppcontext,
                              unsigned int flags,
                              int is_client);
 
+#ifdef ENABLE_OPENSSL
+void tor_tls_context_impl_free(struct ssl_ctx_st *);
+#else
+struct ssl_ctx_st; // XXXX replace
+void tor_tls_context_impl_free(struct ssl_ctx_st *);
+#endif
+
 #ifdef ENABLE_OPENSSL
 tor_tls_t *tor_tls_get_by_ssl(const struct ssl_st *ssl);
 int tor_tls_client_is_using_v2_ciphers(const struct ssl_st *ssl);
diff --git a/src/lib/tls/tortls_nss.c b/src/lib/tls/tortls_nss.c
index 98fecdaf16..3ab5c753d0 100644
--- a/src/lib/tls/tortls_nss.c
+++ b/src/lib/tls/tortls_nss.c
@@ -85,6 +85,13 @@ tor_tls_context_init_one(tor_tls_context_t **ppcontext,
   // XXXX
   return -1;
 }
+void
+tor_tls_context_impl_free(struct ssl_ctx_st *ctx)
+{
+  (void)ctx;
+  // XXXX
+  // XXXX openssl type.
+}
 
 void
 tor_tls_get_state_description(tor_tls_t *tls, char *buf, size_t sz)
diff --git a/src/lib/tls/tortls_openssl.c b/src/lib/tls/tortls_openssl.c
index 333b86481e..5f54312355 100644
--- a/src/lib/tls/tortls_openssl.c
+++ b/src/lib/tls/tortls_openssl.c
@@ -30,6 +30,7 @@
 #include "lib/crypt_ops/crypto_util.h"
 #include "lib/crypt_ops/compat_openssl.h"
 #include "lib/tls/x509.h"
+#include "lib/tls/x509_internal.h"
 
 /* Some versions of OpenSSL declare SSL_get_selected_srtp_profile twice in
  * srtp.h. Suppress the GCC warning so we can build with -Wredundant-decl. */
@@ -488,25 +489,6 @@ static const char CLIENT_CIPHER_LIST[] =
 #undef CIPHER
 #undef XCIPHER
 
-/** Remove a reference to <b>ctx</b>, and free it if it has no more
- * references. */
-void
-tor_tls_context_decref(tor_tls_context_t *ctx)
-{
-  tor_assert(ctx);
-  if (--ctx->refcnt == 0) {
-    SSL_CTX_free(ctx->ctx);
-    tor_x509_cert_free(ctx->my_link_cert);
-    tor_x509_cert_free(ctx->my_id_cert);
-    tor_x509_cert_free(ctx->my_auth_cert);
-    crypto_pk_free(ctx->link_key);
-    crypto_pk_free(ctx->auth_key);
-    /* LCOV_EXCL_BR_START since ctx will never be NULL here */
-    tor_free(ctx);
-    /* LCOV_EXCL_BR_STOP */
-  }
-}
-
 /** Set *<b>link_cert_out</b> and *<b>id_cert_out</b> to the link certificate
  * and ID certificate that we're currently using for our V3 in-protocol
  * handshake's certificate chain.  If <b>server</b> is true, provide the certs
@@ -599,6 +581,14 @@ tor_tls_context_init_one(tor_tls_context_t **ppcontext,
   return ((new_ctx != NULL) ? 0 : -1);
 }
 
+void
+tor_tls_context_impl_free(struct ssl_ctx_st *ctx)
+{
+  if (!ctx)
+    return;
+  SSL_CTX_free(ctx);
+}
+
 /** The group we should use for ecdhe when none was selected. */
 #define  NID_tor_default_ecdhe_group NID_X9_62_prime256v1