@@ -2262,15 +2262,7 @@ key_state_free (struct key_state *ks, bool clear)

 {

   ks->state = S_UNDEF;

-  if (ks->ks_ssl.ssl) {

-#ifdef BIO_DEBUG

-    bio_debug_oc ("close ssl_bio", ks->ks_ssl.ssl_bio);

-    bio_debug_oc ("close ct_in", ks->ks_ssl.ct_in);

-    bio_debug_oc ("close ct_out", ks->ks_ssl.ct_out);

-#endif

-    BIO_free_all(ks->ks_ssl.ssl_bio);

-    SSL_free (ks->ks_ssl.ssl);

-  }

+  key_state_ssl_free(&ks->ks_ssl);

   free_key_ctx_bi (&ks->key);

   free_buf (&ks->plaintext_read_buf);

@@ -287,6 +287,13 @@ void tls_ctx_load_extra_certs (struct tls_root_ctx *ctx, const char *extra_certs

 void key_state_ssl_init(struct key_state_ssl *ks_ssl,

     const struct tls_root_ctx *ssl_ctx, bool is_server, void *session);

+/**

+ * Free the SSL channel part of the given key state.

+ *

+ * @param ks_ssl	The SSL channel's state info to free

+ */

+void key_state_ssl_free(struct key_state_ssl *ks_ssl);

+

 /*

  * Show the TLS ciphers that are available for us to use in the OpenSSL

  * library.

@@ -889,6 +889,19 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_

   BIO_set_ssl (ks_ssl->ssl_bio, ks_ssl->ssl, BIO_NOCLOSE);

 }

+void key_state_ssl_free(struct key_state_ssl *ks_ssl)

+{

+  if (ks_ssl->ssl) {

+#ifdef BIO_DEBUG

+    bio_debug_oc ("close ssl_bio", ks_ssl->ssl_bio);

+    bio_debug_oc ("close ct_in", ks_ssl->ct_in);

+    bio_debug_oc ("close ct_out", ks_ssl->ct_out);

+#endif

+    BIO_free_all(ks_ssl->ssl_bio);

+    SSL_free (ks_ssl->ssl);

+  }

+}

+

 void

 tls_ctx_load_extra_certs (struct tls_root_ctx *ctx, const char *extra_certs_file

 #if ENABLE_INLINE_FILES