diff --git a/lib/core-net/adopt.c b/lib/core-net/adopt.c
index ec01584fe..4f6793508 100644
--- a/lib/core-net/adopt.c
+++ b/lib/core-net/adopt.c
@@ -270,6 +270,7 @@ lws_adopt_ss_server_accept(struct lws *new_wsi)
 	h->wsi = new_wsi;
 	new_wsi->a.opaque_user_data = h;
 	h->info.flags |= LWSSSINFLAGS_ACCEPTED;
+	new_wsi->for_ss = 1; /* indicate wsi should invalidate any ss link to it on close */
 
 	// lwsl_notice("%s: opaq %p, role %s\n", __func__,
 	//		new_wsi->a.opaque_user_data, new_wsi->role_ops->name);
diff --git a/lib/core-net/close.c b/lib/core-net/close.c
index be113b4ef..ca288a17f 100644
--- a/lib/core-net/close.c
+++ b/lib/core-net/close.c
@@ -483,6 +483,23 @@ just_kill_connection:
 		wsi->protocol_bind_balance = 0;
 	}
 
+#if defined(LWS_WITH_SECURE_STREAMS) && defined(LWS_WITH_SERVER)
+	if (wsi->for_ss) {
+		/*
+		 * We were adopted for a particular ss, but, eg, we may not
+		 * have succeeded with the connection... we are closing which is
+		 * good, but we have to invalidate any pointer the related ss
+		 * handle may be holding on us
+		 */
+		lws_ss_handle_t *h = (lws_ss_handle_t *)wsi->a.opaque_user_data;
+
+		if (h) {
+			h->wsi = NULL;
+			wsi->a.opaque_user_data = NULL;
+		}
+	}
+#endif
+
 #if defined(LWS_WITH_CLIENT)
 	if ((lwsi_state(wsi) == LRS_WAITING_SERVER_REPLY ||
 	     lwsi_state(wsi) == LRS_WAITING_DNS ||
diff --git a/lib/core-net/private-lib-core-net.h b/lib/core-net/private-lib-core-net.h
index ea785c509..bc32d8ef7 100644
--- a/lib/core-net/private-lib-core-net.h
+++ b/lib/core-net/private-lib-core-net.h
@@ -837,6 +837,9 @@ struct lws {
 	unsigned int			could_have_pending:1; /* detect back-to-back writes */
 	unsigned int			outer_will_close:1;
 	unsigned int			shadow:1; /* we do not control fd lifecycle at all */
+#if defined(LWS_WITH_SECURE_STREAMS)
+	unsigned int			for_ss:1;
+#endif
 
 #ifdef LWS_WITH_ACCESS_LOG
 	unsigned int			access_log_pending:1;