diff --git a/include/libwebsockets/lws-client.h b/include/libwebsockets/lws-client.h
index 4b5db85ed..2249bd8c5 100644
--- a/include/libwebsockets/lws-client.h
+++ b/include/libwebsockets/lws-client.h
@@ -72,6 +72,8 @@ enum lws_client_connect_ssl_connection_flags {
 	 * means you may block other connection processing in favour of incoming
 	 * data processing on this one if it receives back to back incoming rx.
 	 */
+	LCCSCF_SECSTREAM_CLIENT			= (1 << 21),
+	/**< used to mark client wsi as bound to secure stream */
 };
 
 /** struct lws_client_connect_info - parameters to connect with when using
diff --git a/lib/core-net/client/connect.c b/lib/core-net/client/connect.c
index 9c72835d5..0a624c8c8 100644
--- a/lib/core-net/client/connect.c
+++ b/lib/core-net/client/connect.c
@@ -326,6 +326,12 @@ lws_client_connect_via_info(const struct lws_client_connect_info *i)
 
 	wsi->a.opaque_user_data = wsi->stash->opaque_user_data =
 		i->opaque_user_data;
+
+#if defined(LWS_WITH_SECURE_STREAMS)
+	wsi->for_ss = !!(i->ssl_connection & LCCSCF_SECSTREAM_CLIENT);
+		/* implies our opaque user ptr is the ss handle */
+#endif
+
 	pc = (char *)&wsi->stash[1];
 
 	for (n = 0; n < CIS_COUNT; n++)
diff --git a/lib/core-net/close.c b/lib/core-net/close.c
index e586849d4..a4522f963 100644
--- a/lib/core-net/close.c
+++ b/lib/core-net/close.c
@@ -162,7 +162,7 @@ __lws_free_wsi(struct lws *wsi)
 	if (!wsi)
 		return;
 
-#if defined(LWS_WITH_SECURE_STREAMS) && defined(LWS_WITH_SERVER)
+#if defined(LWS_WITH_SECURE_STREAMS)
 	if (wsi->for_ss) {
 		/*
 		 * Make certain it is disconnected from the ss by now
@@ -520,7 +520,7 @@ just_kill_connection:
 		 */
 		lws_ss_handle_t *h = (lws_ss_handle_t *)wsi->a.opaque_user_data;
 
-		if (h  && !(h->info.flags & LWSSSINFLAGS_ACCEPTED)) {
+		if (h && (h->info.flags & LWSSSINFLAGS_ACCEPTED)) {
 			h->wsi = NULL;
 			wsi->a.opaque_user_data = NULL;
 		}
diff --git a/lib/secure-streams/secure-streams.c b/lib/secure-streams/secure-streams.c
index 3dae19c6b..96f70cac2 100644
--- a/lib/secure-streams/secure-streams.c
+++ b/lib/secure-streams/secure-streams.c
@@ -439,6 +439,8 @@ _lws_ss_client_connect(lws_ss_handle_t *h, int is_retry)
 	if (h->policy->flags & LWSSSPOLF_WAKE_SUSPEND__VALIDITY)
 		i.ssl_connection |= LCCSCF_WAKE_SUSPEND__VALIDITY;
 
+	i.ssl_connection |= LCCSCF_SECSTREAM_CLIENT;
+
 	i.address		= ads;
 	i.port			= port;
 	i.host			= i.address;