diff --git a/src/openssl/pubkey-pinning.c b/src/openssl/pubkey-pinning.c
index 1b9674fd..09cb2c70 100644
--- a/src/openssl/pubkey-pinning.c
+++ b/src/openssl/pubkey-pinning.c
@@ -361,15 +361,18 @@ _getdns_upstream_from_x509_store(X509_STORE_CTX *store)
 }
 
 getdns_return_t
-_getdns_associate_upstream_with_SSL(SSL *ssl,
-				    getdns_upstream *upstream)
+_getdns_associate_upstream_with_connection(_getdns_tls_connection *conn,
+					   getdns_upstream *upstream)
 {
+	if (!conn || !conn->ssl)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	
 #if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
 	int uidx = _get_ssl_getdns_upstream_idx();
 #else
-	int uidx = _get_ssl_getdns_upstream_idx(SSL_CTX_get_cert_store(SSL_get_SSL_CTX(ssl)));
+	int uidx = _get_ssl_getdns_upstream_idx(SSL_CTX_get_cert_store(SSL_get_SSL_CTX(conn->ssl)));
 #endif
-	if (SSL_set_ex_data(ssl, uidx, upstream))
+	if (SSL_set_ex_data(conn->ssl, uidx, upstream))
 		return GETDNS_RETURN_GOOD;
 	else
 		return GETDNS_RETURN_GENERIC_ERROR;
diff --git a/src/pubkey-pinning.h b/src/pubkey-pinning.h
index 894ccf00..5f0e4840 100644
--- a/src/pubkey-pinning.h
+++ b/src/pubkey-pinning.h
@@ -34,6 +34,7 @@
 #ifndef PUBKEY_PINNING_H_
 #define PUBKEY_PINNING_H_
 
+#include "tls.h"
 
 /* create and populate a pinset linked list from a getdns_list pinset */
 getdns_return_t
@@ -57,8 +58,8 @@ _getdns_upstream_from_x509_store(X509_STORE_CTX *store);
 
 
 getdns_return_t
-_getdns_associate_upstream_with_SSL(SSL *ssl,
-				    getdns_upstream *upstream);
+_getdns_associate_upstream_with_connection(_getdns_tls_connection *conn,
+					   getdns_upstream *upstream);
 
 getdns_return_t
 _getdns_verify_pinset_match(const sha256_pin_t *pinset,
diff --git a/src/stub.c b/src/stub.c
index 8db8a7fe..ca4c55d0 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -838,7 +838,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		_getdns_tls_connection_set_curves_list(tls, upstream->tls_curves_list);
 #endif
 	/* make sure we'll be able to find the context again when we need it */
-	if (_getdns_associate_upstream_with_SSL(tls->ssl, upstream) != GETDNS_RETURN_GOOD) {
+	if (_getdns_associate_upstream_with_connection(tls, upstream) != GETDNS_RETURN_GOOD) {
 		_getdns_tls_connection_free(tls);
 		return NULL;
 	}