diff --git a/modules/tls/mod_tls.c b/modules/tls/mod_tls.c
index b5cf15b23d..df9fd59515 100644
--- a/modules/tls/mod_tls.c
+++ b/modules/tls/mod_tls.c
@@ -117,6 +117,12 @@ static const char *tls_cert_file(cmd_parms *cmd, void *dummy, const char *arg)
     return NULL;
 }
 
+static apr_status_t tls_filter_cleanup(void *data)
+{
+    SSLStateMachine_destroy((SSLStateMachine *)data);
+    return APR_SUCCESS;
+}
+
 static int tls_filter_inserter(conn_rec *c)
 {
     TLSServerConfig *pConfig =
@@ -136,6 +142,9 @@ static int tls_filter_inserter(conn_rec *c)
     pCtx->pbbInput=apr_brigade_create(c->pool);
     pCtx->pbbPendingInput=apr_brigade_create(c->pool);
 
+    apr_pool_cleanup_register(c->pool, (void*)pCtx->pStateMachine,
+                              tls_filter_cleanup, apr_pool_cleanup_null);
+
     return OK;
 }
 
diff --git a/modules/tls/openssl_state_machine.c b/modules/tls/openssl_state_machine.c
index 171a1aa23d..4f626e9efb 100644
--- a/modules/tls/openssl_state_machine.c
+++ b/modules/tls/openssl_state_machine.c
@@ -162,6 +162,12 @@ SSLStateMachine *SSLStateMachine_new(const char *szCertificateFile,
     return pMachine;
     }
 
+void SSLStateMachine_destroy(SSLStateMachine *pMachine)
+{
+    SSL_free(pMachine->pSSL);
+    free(pMachine);
+}
+
 void SSLStateMachine_read_inject(SSLStateMachine *pMachine,
 				 const unsigned char *aucBuf,int nBuf)
     {
diff --git a/modules/tls/openssl_state_machine.h b/modules/tls/openssl_state_machine.h
index 10be69a3b0..581baf9c9b 100644
--- a/modules/tls/openssl_state_machine.h
+++ b/modules/tls/openssl_state_machine.h
@@ -3,6 +3,7 @@ typedef struct SSLStateMachine SSLStateMachine;
 void SSLStateMachine_init(void);
 SSLStateMachine *SSLStateMachine_new(const char *szCertificateFile,
 				     const char *szKeyFile);
+void SSLStateMachine_destroy(SSLStateMachine *pMachine);
 void SSLStateMachine_read_inject(SSLStateMachine *pMachine,
 				 const unsigned char *aucBuf,int nBuf);
 int SSLStateMachine_read_extract(SSLStateMachine *pMachine,