diff --git a/src/apps/altcp_tls/altcp_tls_mbedtls.c b/src/apps/altcp_tls/altcp_tls_mbedtls.c
index 8f62ba06..32299036 100644
--- a/src/apps/altcp_tls/altcp_tls_mbedtls.c
+++ b/src/apps/altcp_tls/altcp_tls_mbedtls.c
@@ -537,10 +537,11 @@ altcp_mbedtls_lower_err(void *arg, err_t err)
 {
   struct altcp_pcb *conn = (struct altcp_pcb *)arg;
   if (conn) {
-    /* @todo: deallocate/close this connection? */
+    conn->inner_conn = NULL; /* already freed */
     if (conn->err) {
       conn->err(conn->arg, err);
     }
+    altcp_free(conn);
   }
 }
 
@@ -606,6 +607,16 @@ altcp_tls_new(struct altcp_tls_config* config, struct altcp_pcb *inner_pcb)
   return ret;
 }
 
+void *
+altcp_tls_context (struct altcp_pcb *conn)
+{
+  if (conn && conn->state) {
+      altcp_mbedtls_state_t *state = conn->state;
+      return &state->ssl_context;
+  }
+  return NULL;
+}
+
 #if ALTCP_MBEDTLS_DEBUG != LWIP_DBG_OFF
 static void
 altcp_mbedtls_debug(void *ctx, int level, const char *file, int line, const char *str)
@@ -755,6 +766,13 @@ altcp_tls_create_config_client(const u8_t *cert, size_t cert_len)
   return conf;
 }
 
+void
+altcp_tls_free_config(struct altcp_tls_config *conf)
+{
+    altcp_mbedtls_free_config (conf);
+}
+
+
 /* "virtual" functions */
 static void
 altcp_mbedtls_set_poll(struct altcp_pcb *conn, u8_t interval)
@@ -954,8 +972,12 @@ altcp_mbedtls_dealloc(struct altcp_pcb *conn)
       mbedtls_ssl_free(&state->ssl_context);
       state->flags = 0;
       altcp_mbedtls_free(state->conf, state);
+      conn->state = NULL;
+    }
+    if (conn->inner_conn) {
+      altcp_free(conn->inner_conn);
+      conn->inner_conn = NULL;
     }
-    conn->state = NULL;
   }
 }
 
diff --git a/src/include/lwip/altcp_tls.h b/src/include/lwip/altcp_tls.h
index 977f24f8..b9fb31d6 100644
--- a/src/include/lwip/altcp_tls.h
+++ b/src/include/lwip/altcp_tls.h
@@ -72,11 +72,22 @@ struct altcp_tls_config *altcp_tls_create_config_server_privkey_cert(const u8_t
  */
 struct altcp_tls_config *altcp_tls_create_config_client(const u8_t *cert, size_t cert_len);
 
+/** @ingroup altcp_tls
+ * Free an ALTCP_TLS configuration handle
+ */
+void altcp_tls_free_config(struct altcp_tls_config *conf);
+
 /** @ingroup altcp_tls
  * Create new ALTCP_TLS layer
  */
 struct altcp_pcb *altcp_tls_new(struct altcp_tls_config* config, struct altcp_pcb *inner_pcb);
 
+/** @ingroup altcp_tls
+ * Return pointer to internal TLS context so application can tweak it.
+ * Real type depends on port (e.g. mbedtls)
+ */
+void *altcp_tls_context (struct altcp_pcb *conn);
+
 #ifdef __cplusplus
 }
 #endif