diff --git a/src/linux_tcp/openssl.h b/src/linux_tcp/openssl.h
index bd67e5b..23c4ae3 100644
--- a/src/linux_tcp/openssl.h
+++ b/src/linux_tcp/openssl.h
@@ -43,7 +43,6 @@ int      SSL_shutdown(SSL *ssl);
 int      SSL_set_fd(SSL *ssl, int fd);
 int      SSL_get_shutdown(const SSL *ssl);
 int      SSL_get_error(const SSL *ssl, int ret);
-int      SSL_up_ref(SSL *ssl);
 void     SSL_set_connect_state(SSL *ssl);
 void     SSL_CTX_free(SSL_CTX *ctx);
 void     SSL_free(SSL *ssl);
diff --git a/src/linux_tcp/sslconnected.h b/src/linux_tcp/sslconnected.h
index 5bbe81a..9015e9f 100644
--- a/src/linux_tcp/sslconnected.h
+++ b/src/linux_tcp/sslconnected.h
@@ -125,7 +125,7 @@ private:
             _handler = nullptr;
             
             // start the state that closes the connection
-            return new SslShutdown(_connection, _socket, _ssl, _handler);
+            return new SslShutdown(_connection, _socket, std::move(_ssl), _handler);
         }
         else
         {
@@ -245,9 +245,9 @@ public:
      *  @param  buffer      The buffer that was already built
      *  @param  handler     User-supplied handler object
      */
-    SslConnected(TcpConnection *connection, int socket, const SslWrapper &ssl, TcpOutBuffer &&buffer, TcpHandler *handler) : 
+    SslConnected(TcpConnection *connection, int socket, SslWrapper &&ssl, TcpOutBuffer &&buffer, TcpHandler *handler) : 
         TcpState(connection, handler),
-        _ssl(ssl),
+        _ssl(std::move(ssl)),
         _socket(socket),
         _out(std::move(buffer)),
         _in(4096),
diff --git a/src/linux_tcp/sslcontext.h b/src/linux_tcp/sslcontext.h
index 2c2d8b3..bcf8c90 100644
--- a/src/linux_tcp/sslcontext.h
+++ b/src/linux_tcp/sslcontext.h
@@ -42,26 +42,11 @@ public:
     }
     
     /**
-     *  Constructor that wraps around an existing context
-     *  @param  context
-     */
-    SslContext(SSL_CTX *context) : _ctx(context)
-    {
-        // increment refcount
-        // @todo fix this
-        //SSL_ctx_up_ref(context);
-    }
-    
-    /**
-     *  Copy constructor
+     *  Copy constructor is delete because the object is refcounted,
+     *  and we do not have a decent way to update the refcount in openssl 1.0
      *  @param  that
      */
-    SslContext(SslContext &that) : _ctx(that._ctx)
-    {
-        // increment refcount
-        // @todo fix this
-        //SSL_ctx_up_ref(context);
-    }
+    SslContext(SslContext &that) = delete;
     
     /**
      *  Destructor
diff --git a/src/linux_tcp/sslhandshake.h b/src/linux_tcp/sslhandshake.h
index 9a4be90..5bbde81 100644
--- a/src/linux_tcp/sslhandshake.h
+++ b/src/linux_tcp/sslhandshake.h
@@ -162,7 +162,7 @@ public:
         int result = OpenSSL::SSL_do_handshake(_ssl);
                 
         // if the connection succeeds, we can move to the ssl-connected state
-        if (result == 1) return nextstate(new SslConnected(_connection, _socket, _ssl, std::move(_out), _handler));
+        if (result == 1) return nextstate(new SslConnected(_connection, _socket, std::move(_ssl), std::move(_out), _handler));
         
         // error was returned, so we must investigate what is going on
         auto error = OpenSSL::SSL_get_error(_ssl, result);
@@ -203,7 +203,7 @@ public:
             int result = OpenSSL::SSL_do_handshake(_ssl);
         
             // if the connection succeeds, we can move to the ssl-connected state
-            if (result == 1) return nextstate(new SslConnected(_connection, _socket, _ssl, std::move(_out), _handler));
+            if (result == 1) return nextstate(new SslConnected(_connection, _socket, std::move(_ssl), std::move(_out), _handler));
         
             // error was returned, so we must investigate what is going on
             auto error = OpenSSL::SSL_get_error(_ssl, result);
diff --git a/src/linux_tcp/sslshutdown.h b/src/linux_tcp/sslshutdown.h
index 2361155..bacc81e 100644
--- a/src/linux_tcp/sslshutdown.h
+++ b/src/linux_tcp/sslshutdown.h
@@ -100,9 +100,9 @@ public:
      *  @param  ssl         The SSL structure
      *  @param  handler     User-supplied handler object
      */
-    SslShutdown(TcpConnection *connection, int socket, const SslWrapper &ssl, TcpHandler *handler) : 
+    SslShutdown(TcpConnection *connection, int socket, SslWrapper &&ssl, TcpHandler *handler) : 
         TcpState(connection, handler),
-        _ssl(ssl),
+        _ssl(std::move(ssl)),
         _socket(socket)
     {
         // tell the handler to monitor the socket if there is an out
diff --git a/src/linux_tcp/sslwrapper.h b/src/linux_tcp/sslwrapper.h
index 6aa5edd..79a8f7b 100644
--- a/src/linux_tcp/sslwrapper.h
+++ b/src/linux_tcp/sslwrapper.h
@@ -41,25 +41,20 @@ public:
     }
     
     /**
-     *  Wrapper constructor
-     *  @param  ssl
-     */
-    SslWrapper(SSL *ssl) : _ssl(ssl)
-    {
-        // one more reference
-        // @todo fix this
-        //CRYPTO_add(_ssl);
-    }
-    
-    /**
-     *  Copy constructor
+     *  Copy constructor is removed because openssl 1.0 has no way to up refcount 
+     *  (otherwise we could be safely copying objects around)
      *  @param  that
      */
-    SslWrapper(const SslWrapper &that) : _ssl(that._ssl)
+    SslWrapper(const SslWrapper &that) = delete;
+    
+    /**
+     *  Move constructor
+     *  @param  that
+     */
+    SslWrapper(SslWrapper &&that) : _ssl(that._ssl)
     {
-        // one more reference
-        // @todo fix this
-        //SSL_up_ref(_ssl);
+        // invalidate other object
+        that._ssl = nullptr;
     }
     
     /**
@@ -67,6 +62,9 @@ public:
      */
     virtual ~SslWrapper()
     {
+        // do nothing if already moved away
+        if (_ssl == nullptr) return;
+        
         // destruct object
         OpenSSL::SSL_free(_ssl);
     }