diff --git a/changelog b/changelog
index 6881a5b2c0d026e4a2800816fe5a9e1a91a5d702..5e48a24b6cbde0e1c31635c2aa9bbe67282e0f5e 100644
--- a/changelog
+++ b/changelog
@@ -98,6 +98,12 @@ If you are providing other headers, they must be generated using the new
 HTTP-version-agnostic APIs, and you must provide the length of them using this
 additional parameter.
 
+struct lws_context_creation_info now has an additional member
+SSL_CTX *provided_client_ssl_ctx you may set to an externally-initialized
+SSL_CTX managed outside lws.  Defaulting to zero keeps the existing behaviour of
+lws managing the context, if you memset the struct to 0 or have as a filescope
+initialized struct in bss, no need to change anything.
+
 
 v1.3-chrome37-firefox30
 =======================
diff --git a/lib/context.c b/lib/context.c
index 635bb1372ac64fc288d9fa5551a30844c0b67f15..447c96c510b011d0186298ded905f4cd31539661 100644
--- a/lib/context.c
+++ b/lib/context.c
@@ -214,15 +214,24 @@ libwebsocket_create_context(struct lws_context_creation_info *info)
 				sizeof(struct libwebsocket),
 					      sizeof(struct allocated_headers));
 
-	if (lws_context_init_server_ssl(info, context))
-		goto bail;
 
-	if (lws_context_init_client_ssl(info, context))
+#ifdef LWS_OPENSSL_SUPPORT
+    if (info->provided_client_ssl_ctx){
+        //use the provided OpenSSL context if given one
+        context->ssl_client_ctx = info->provided_client_ssl_ctx;
+        context->user_supplied_ssl_ctx = 1; //mark to not delet the context on cleanup
+    }
+#endif
+    if (lws_context_init_server_ssl(info, context))
+		goto bail;
+	if (!context->ssl_client_ctx && lws_context_init_client_ssl(info, context))
 		goto bail;
 
 	if (lws_context_init_server(info, context))
 		goto bail;
 
+	lwsl_debug(" client SSL ctx %p\n", context->ssl_client_ctx);
+	lwsl_debug(" server SSL ctx %p\n", context->ssl_ctx);
 	/*
 	 * drop any root privs for this process
 	 * to listen on port < 1023 we would have needed root, but now we are
diff --git a/lib/libwebsockets.h b/lib/libwebsockets.h
index 30dbd575716e2717a513742f34d8671e82589ae5..816b1df64fefddb1ef88623e68eda3559611dc43 100644
--- a/lib/libwebsockets.h
+++ b/lib/libwebsockets.h
@@ -86,6 +86,14 @@ extern "C" {
 #include <unistd.h>
 #endif
 
+#ifdef LWS_OPENSSL_SUPPORT
+#ifdef USE_CYASSL
+#include <cyassl/openssl/ssl.h>
+#else
+#include <openssl/ssl.h>
+#endif /* not USE_CYASSL */
+#endif
+
 #define CONTEXT_PORT_NO_LISTEN -1
 #define MAX_MUX_RECURSION 2
 
@@ -995,6 +1003,10 @@ struct libwebsocket_extension {
  *		and killing the connection
  * @ka_interval: if ka_time was nonzero, how long to wait before each ka_probes
  *		attempt
+ * @provided_client_ssl_ctx: If non-null, swap out libwebsockets ssl
+ *		implementation for the one provided by provided_ssl_ctx.
+ *		Libwebsockets no longer is responsible for freeing the context
+ *		if this option is selected.
  */
 
 struct lws_context_creation_info {
@@ -1017,7 +1029,11 @@ struct lws_context_creation_info {
 	int ka_time;
 	int ka_probes;
 	int ka_interval;
-
+#ifdef LWS_OPENSSL_SUPPORT
+	SSL_CTX *provided_client_ssl_ctx;
+#else /* maintain structure layout either way */
+    	void *provided_client_ssl_ctx;
+#endif
 };
 
 LWS_VISIBLE LWS_EXTERN
diff --git a/lib/private-libwebsockets.h b/lib/private-libwebsockets.h
index 5946a5ee9cb96c9a98319697d6b38e4673885098..7e01fe7d7de644eb0843111de7e5a84a9d11f25a 100755
--- a/lib/private-libwebsockets.h
+++ b/lib/private-libwebsockets.h
@@ -462,6 +462,7 @@ struct libwebsocket_context {
 #ifdef LWS_OPENSSL_SUPPORT
 	int use_ssl;
 	int allow_non_ssl_on_ssl_port;
+	unsigned int user_supplied_ssl_ctx:1;
 	SSL_CTX *ssl_ctx;
 	SSL_CTX *ssl_client_ctx;
 	unsigned int ssl_flag_buffered_reads:1;
diff --git a/lib/ssl.c b/lib/ssl.c
index 3cdfdeab5fa59b9fda7caa44262aceb76f2f4b3f..cc86b8052b86cbfcee609060e4339209b43ca208 100644
--- a/lib/ssl.c
+++ b/lib/ssl.c
@@ -192,7 +192,7 @@ lws_ssl_destroy(struct libwebsocket_context *context)
 {
 	if (context->ssl_ctx)
 		SSL_CTX_free(context->ssl_ctx);
-	if (context->ssl_client_ctx)
+	if (!context->user_supplied_ssl_ctx && context->ssl_client_ctx)
 		SSL_CTX_free(context->ssl_client_ctx);
 
 	ERR_remove_state(0);
@@ -593,7 +593,7 @@ lws_ssl_context_destroy(struct libwebsocket_context *context)
 {
 	if (context->ssl_ctx)
 		SSL_CTX_free(context->ssl_ctx);
-	if (context->ssl_client_ctx)
+	if (!context->user_supplied_ssl_ctx && context->ssl_client_ctx)
 		SSL_CTX_free(context->ssl_client_ctx);
 
 	ERR_remove_state(0);