diff --git a/src/internal.c b/src/internal.c
index ec49495fa..dedd2c4d8 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -1587,13 +1587,8 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
     /* decrement previous CTX reference count if exists.
      * This should only happen if switching ctxs!*/
     if (!newSSL) {
-        if(LockMutex(&ssl->ctx->countMutex) != 0) {
-            WOLFSSL_MSG("Couldn't lock on previous CTX count mutex");
-            return BAD_MUTEX_E;
-        }
-        WOLFSSL_MSG("Decrementing previous ctx reference count. Switching ctx.");
-        ssl->ctx->refCount--;
-        UnLockMutex(&ssl->ctx->countMutex);
+        WOLFSSL_MSG("freeing old ctx to decrement reference count. Switching ctx.");
+        wolfSSL_CTX_free(ssl->ctx);
     }
 
     /* increment CTX reference count */
@@ -1713,27 +1708,6 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
 
     XMEMSET(ssl, 0, sizeof(WOLFSSL));
 
-    /* arrays */
-    ssl->arrays = (Arrays*)XMALLOC(sizeof(Arrays), ssl->heap,
-                                                           DYNAMIC_TYPE_ARRAYS);
-    if (ssl->arrays == NULL) {
-        WOLFSSL_MSG("Arrays Memory error");
-        return MEMORY_E;
-    }
-    XMEMSET(ssl->arrays, 0, sizeof(Arrays));
-
-    /* suites */
-    ssl->suites = (Suites*)XMALLOC(sizeof(Suites), ssl->heap,
-                                   DYNAMIC_TYPE_SUITES);
-    if (ssl->suites == NULL) {
-        WOLFSSL_MSG("Suites Memory error");
-        return MEMORY_E;
-    }
-
-    /* Initialize SSL with the appropriate fields from it's ctx */
-    if((ret =  SetSSL_CTX(ssl, ctx)) != SSL_SUCCESS)
-        return ret;
-
     ssl->buffers.inputBuffer.buffer = ssl->buffers.inputBuffer.staticBuffer;
     ssl->buffers.inputBuffer.bufferSize  = STATIC_BUFFER_LEN;
 
@@ -1777,7 +1751,6 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
         ssl->hmac = TLS_hmac;
     #endif
 
-    ssl->options.dtls = ssl->version.major == DTLS_MAJOR;
 
 #ifdef WOLFSSL_DTLS
     ssl->buffers.dtlsCtx.fd = -1;
@@ -1802,6 +1775,29 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
 
     /* all done with init, now can return errors, call other stuff */
 
+    /* arrays */
+    ssl->arrays = (Arrays*)XMALLOC(sizeof(Arrays), ssl->heap,
+                                                           DYNAMIC_TYPE_ARRAYS);
+    if (ssl->arrays == NULL) {
+        WOLFSSL_MSG("Arrays Memory error");
+        return MEMORY_E;
+    }
+    XMEMSET(ssl->arrays, 0, sizeof(Arrays));
+
+    /* suites */
+    ssl->suites = (Suites*)XMALLOC(sizeof(Suites), ssl->heap,
+                                   DYNAMIC_TYPE_SUITES);
+    if (ssl->suites == NULL) {
+        WOLFSSL_MSG("Suites Memory error");
+        return MEMORY_E;
+    }
+
+    /* Initialize SSL with the appropriate fields from it's ctx */
+    if((ret =  SetSSL_CTX(ssl, ctx)) != SSL_SUCCESS)
+        return ret;
+
+    ssl->options.dtls = ssl->version.major == DTLS_MAJOR;
+
     /* hsHashes */
     ssl->hsHashes = (HS_Hashes*)XMALLOC(sizeof(HS_Hashes), ssl->heap,
                                                            DYNAMIC_TYPE_HASHES);
diff --git a/src/tls.c b/src/tls.c
index 9c3e33903..c0bdcd305 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -1003,7 +1003,7 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, byte* input, word16 length,
 #ifndef NO_WOLFSSL_SERVER
     word16 size = 0;
     word16 offset = 0;
-    int forceKeep = 0;
+    int cacheOnly = 0;
 #endif
 
     TLSX *extension = TLSX_Find(ssl->extensions, SERVER_NAME_INDICATION);
@@ -1015,7 +1015,10 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, byte* input, word16 length,
 
     if (!extension || !extension->data) {
 #if defined(WOLFSSL_ALWAYS_KEEP_SNI) && !defined(NO_WOLFSSL_SERVER)
-        forceKeep = 1;
+        /* This will keep SNI even though TLSX_UseSNI has not been called.
+         * Enable it so that the received sni is available to functions
+         * that use a custom callback when SNI is received */
+        cacheOnly = 1;
         WOLFSSL_MSG("Forcing SSL object to store SNI parameter");
 #else
         return isRequest ? 0             /* not using SNI.           */
@@ -1052,13 +1055,13 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, byte* input, word16 length,
         if (offset + size > length)
             return BUFFER_ERROR;
 
-        if (!forceKeep && !(sni = TLSX_SNI_Find((SNI*)extension->data, type)))
+        if (!cacheOnly && !(sni = TLSX_SNI_Find((SNI*)extension->data, type)))
             continue; /* not using this type of SNI. */
 
         switch(type) {
             case WOLFSSL_SNI_HOST_NAME: {
                 int matchStat;
-                byte matched = forceKeep ||
+                byte matched = cacheOnly ||
                             ((XSTRLEN(sni->data.host_name) == size)
                             && (XSTRNCMP(sni->data.host_name,
                                        (const char*)input + offset, size) == 0));
@@ -1070,7 +1073,7 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, byte* input, word16 length,
                     if (r != SSL_SUCCESS)
                         return r; /* throws error. */
 
-                    if(forceKeep) {
+                    if(cacheOnly) {
                         WOLFSSL_MSG("Forcing storage of SNI, Fake match");
                         matchStat = WOLFSSL_SNI_FORCE_KEEP;
                     } else if(matched) {
@@ -1083,7 +1086,7 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, byte* input, word16 length,
 
                     TLSX_SNI_SetStatus(ssl->extensions, type, matchStat);
 
-                    if(!forceKeep)
+                    if(!cacheOnly)
                         TLSX_SetResponse(ssl, SERVER_NAME_INDICATION);
 
                 } else if (!(sni->options & WOLFSSL_SNI_CONTINUE_ON_MISMATCH)) {