diff --git a/lib/core-net/private-lib-core-net.h b/lib/core-net/private-lib-core-net.h
index 3cce68ac4..42a511b67 100644
--- a/lib/core-net/private-lib-core-net.h
+++ b/lib/core-net/private-lib-core-net.h
@@ -520,7 +520,7 @@ struct lws_vhost {
 	uint32_t		tls_session_cache_max;
 #endif
 
-#if defined(LWS_WITH_SECURE_STREAMS_STATIC_POLICY_ONLY)
+#if defined(LWS_WITH_SECURE_STREAMS_STATIC_POLICY_ONLY) || defined(LWS_WITH_SECURE_STREAMS_CPP)
 	int8_t			ss_refcount;
 	/**< refcount of number of ss connections with streamtypes using this
 	 * trust store */
diff --git a/lib/secure-streams/policy-common.c b/lib/secure-streams/policy-common.c
index 8399df154..b782c1e5b 100644
--- a/lib/secure-streams/policy-common.c
+++ b/lib/secure-streams/policy-common.c
@@ -367,7 +367,7 @@ lws_ss_policy_ref_trust_store(struct lws_context *context,
 	}
 
 accepted:
-#if defined(LWS_WITH_SECURE_STREAMS_STATIC_POLICY_ONLY)
+#if defined(LWS_WITH_SECURE_STREAMS_STATIC_POLICY_ONLY) || defined(LWS_WITH_SECURE_STREAMS_CPP)
 	if (doref)
 		v->ss_refcount++;
 #endif
@@ -375,7 +375,7 @@ accepted:
 	return v;
 }
 
-#if defined(LWS_WITH_SECURE_STREAMS_STATIC_POLICY_ONLY)
+#if defined(LWS_WITH_SECURE_STREAMS_STATIC_POLICY_ONLY) || defined(LWS_WITH_SECURE_STREAMS_CPP)
 int
 lws_ss_policy_unref_trust_store(struct lws_context *context,
 				const lws_ss_policy_t *pol)
diff --git a/lib/secure-streams/private-lib-secure-streams.h b/lib/secure-streams/private-lib-secure-streams.h
index e237168a3..407ce23ba 100644
--- a/lib/secure-streams/private-lib-secure-streams.h
+++ b/lib/secure-streams/private-lib-secure-streams.h
@@ -610,7 +610,7 @@ lws_ss_cancel_notify_dll(struct lws_dll2 *d, void *user);
 int
 lws_sspc_cancel_notify_dll(struct lws_dll2 *d, void *user);
 
-#if defined(LWS_WITH_SECURE_STREAMS_STATIC_POLICY_ONLY)
+#if defined(LWS_WITH_SECURE_STREAMS_STATIC_POLICY_ONLY) || defined(LWS_WITH_SECURE_STREAMS_CPP)
 int
 lws_ss_policy_unref_trust_store(struct lws_context *context,
 				const lws_ss_policy_t *pol);
diff --git a/lib/secure-streams/secure-streams.c b/lib/secure-streams/secure-streams.c
index d22fbff29..81ed03236 100644
--- a/lib/secure-streams/secure-streams.c
+++ b/lib/secure-streams/secure-streams.c
@@ -1250,6 +1250,14 @@ extant:
 		lwsl_err("%s: unable to get vhost / trust store\n", __func__);
 		goto fail_creation;
 	}
+#else
+#if defined(LWS_WITH_SECURE_STREAMS_CPP)
+        if (!ssi->streamtype &&
+	    !lws_ss_policy_ref_trust_store(context, h->policy, 1 /* do the ref */)) {
+		lwsl_err("%s: unable to get vhost / trust store\n", __func__);
+		goto fail_creation;
+	}
+#endif
 #endif
 
 	r = lws_ss_event_helper(h, LWSSSCS_CREATING);
@@ -1465,6 +1473,11 @@ lws_ss_destroy(lws_ss_handle_t **ppss)
 
 	if (h->policy)
 		lws_ss_policy_unref_trust_store(h->context, h->policy);
+#else
+#if defined(LWS_WITH_SECURE_STREAMS_CPP)
+	if (!h->info.streamtype || !*(h->info.streamtype))
+		lws_ss_policy_unref_trust_store(h->context, h->policy);
+#endif
 #endif
 
 #if defined(LWS_WITH_SERVER)