diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h
index 42d8249af57e5b73113ad02827e881f25c65a215..c280da85a3bb53e64733d463cebaecb102bf0757 100644
--- a/include/ldap_pvt.h
+++ b/include/ldap_pvt.h
@@ -173,6 +173,7 @@ LDAP_F (int) ldap_pvt_tls_get_option LDAP_P(( struct ldap *ld,
 LDAP_F (int) ldap_pvt_tls_set_option LDAP_P(( struct ldap *ld,
 	int option, void *arg ));
 
+LDAP_F (void) ldap_pvt_tls_destroy LDAP_P(( void ));
 LDAP_F (int) ldap_pvt_tls_init LDAP_P(( void ));
 LDAP_F (int) ldap_pvt_tls_accept LDAP_P(( Sockbuf *sb, void *ctx_arg ));
 LDAP_F (int) ldap_pvt_tls_inplace LDAP_P(( Sockbuf *sb ));
diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c
index 4cfd6a93dd77d0516f3ae162a924599e9ed3de4e..01f6f0f0b4134194a6889132291fdf40e78f0b79 100644
--- a/libraries/libldap/tls.c
+++ b/libraries/libldap/tls.c
@@ -97,6 +97,17 @@ static void tls_init_threads( void )
 }
 #endif /* LDAP_R_COMPILE */
 
+/*
+ * Tear down the TLS subsystem. Should only be called once.
+ */
+void
+ldap_pvt_tls_destroy( void )
+{
+	SSL_CTX_free(tls_def_ctx);
+	EVP_cleanup();
+	ERR_free_strings();
+}
+
 /*
  * Initialize TLS subsystem. Should be called only once.
  */
diff --git a/servers/slapd/main.c b/servers/slapd/main.c
index 66e90f79c660fad84871d89cfb8eed97023c34de..785806497e40c26e6d4c710c51afa2230977aa54 100644
--- a/servers/slapd/main.c
+++ b/servers/slapd/main.c
@@ -542,6 +542,10 @@ stop:
 #endif
 	slapd_daemon_destroy();
 
+#ifdef HAVE_TLS
+	ldap_pvt_tls_destroy();
+#endif
+
 #ifdef CSRIMALLOC
 	mal_dumpleaktrace( leakfile );
 #endif