diff --git a/src/internal.c b/src/internal.c
index 18732349d..1572a6bef 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -2016,11 +2016,11 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx)
 #endif
 #ifdef WOLFSSL_STATIC_EPHEMERAL
     #ifndef NO_DH
-    if (ctx->staticKE.dhKey)
+    if (ctx->staticKE.dhKey && ctx->staticKE.weOwnDH)
         FreeDer(&ctx->staticKE.dhKey);
     #endif
     #ifdef HAVE_ECC
-    if (ctx->staticKE.ecKey)
+    if (ctx->staticKE.ecKey && ctx->staticKE.weOwnEC)
         FreeDer(&ctx->staticKE.ecKey);
     #endif
 #endif
@@ -5925,7 +5925,13 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
     ssl->options.mutualAuth = ctx->mutualAuth;
 
 #ifdef WOLFSSL_STATIC_EPHEMERAL
-    ssl->staticKE = ctx->staticKE;
+    XMEMCPY(&ssl->staticKE, &ctx->staticKE, sizeof(StaticKeyExchangeInfo_t));
+    #ifdef HAVE_ECC
+    ssl->staticKE.weOwnEC = 0;
+    #endif
+    #ifndef NO_DH
+    ssl->staticKE.weOwnDH = 0;
+    #endif
 #endif
 
 #ifdef WOLFSSL_TLS13
@@ -6669,11 +6675,11 @@ void SSL_ResourceFree(WOLFSSL* ssl)
 #endif
 #ifdef WOLFSSL_STATIC_EPHEMERAL
     #ifndef NO_DH
-    if (ssl->staticKE.dhKey && ssl->staticKE.dhKey != ssl->ctx->staticKE.dhKey)
+    if (ssl->staticKE.dhKey && ssl->staticKE.weOwnDH)
         FreeDer(&ssl->staticKE.dhKey);
     #endif
     #ifdef HAVE_ECC
-    if (ssl->staticKE.ecKey && ssl->staticKE.ecKey != ssl->ctx->staticKE.ecKey)
+    if (ssl->staticKE.ecKey && ssl->staticKE.weOwnEC)
         FreeDer(&ssl->staticKE.ecKey);
     #endif
 #endif
diff --git a/src/ssl.c b/src/ssl.c
index e86c52e12..6bbca1124 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -53011,7 +53011,7 @@ int wolfSSL_X509_REQ_set_pubkey(WOLFSSL_X509 *req, WOLFSSL_EVP_PKEY *pkey)
 
 #ifdef WOLFSSL_STATIC_EPHEMERAL
 static int SetStaticEphemeralKey(StaticKeyExchangeInfo_t* staticKE, int keyAlgo, 
-    const char* key, unsigned int keySz, int format, void* heap, WOLFSSL_CTX* ctx)
+    const char* key, unsigned int keySz, int format, void* heap)
 {
     int ret = 0;
     DerBuffer* der = NULL;
@@ -53101,15 +53101,20 @@ static int SetStaticEphemeralKey(StaticKeyExchangeInfo_t* staticKE, int keyAlgo,
         }
     }
 
-    /* if key is already set free it */
+#ifndef NO_FILESYSTEM
+    /* done with keyFile buffer */
+    if (keyFile && keyBuf) {
+        XFREE(keyBuf, heap, DYNAMIC_TYPE_TMP_BUFFER);
+    }
+#endif
+
+    /* if key is already allocated then set free it */
 #ifndef NO_DH
-    if (keyAlgo == WC_PK_TYPE_DH && staticKE->dhKey && 
-            (ctx == NULL || staticKE->dhKey != ctx->staticKE.dhKey))
+    if (keyAlgo == WC_PK_TYPE_DH && staticKE->dhKey && staticKE->weOwnDH)
         FreeDer(&staticKE->dhKey);
 #endif
 #ifdef HAVE_ECC
-    if (keyAlgo == WC_PK_TYPE_ECDH && staticKE->ecKey && 
-            (ctx == NULL || staticKE->ecKey != ctx->staticKE.ecKey))
+    if (keyAlgo == WC_PK_TYPE_ECDH && staticKE->ecKey && staticKE->weOwnEC)
         FreeDer(&staticKE->ecKey);
 #endif
 
@@ -53117,11 +53122,13 @@ static int SetStaticEphemeralKey(StaticKeyExchangeInfo_t* staticKE, int keyAlgo,
     #ifndef NO_DH
         case WC_PK_TYPE_DH:
             staticKE->dhKey = der;
+            staticKE->weOwnDH = 1;
             break;
     #endif
     #ifdef HAVE_ECC
         case WC_PK_TYPE_ECDH:
             staticKE->ecKey = der;
+            staticKE->weOwnEC = 1;
             break;
     #endif
         default:
@@ -53131,12 +53138,6 @@ static int SetStaticEphemeralKey(StaticKeyExchangeInfo_t* staticKE, int keyAlgo,
             break;
     }
 
-#ifndef NO_FILESYSTEM
-    if (keyFile && keyBuf) {
-        XFREE(keyBuf, heap, DYNAMIC_TYPE_TMP_BUFFER);
-    }
-#endif
-
     WOLFSSL_LEAVE("SetStaticEphemeralKey", ret);
 
     return ret;
@@ -53150,7 +53151,7 @@ int wolfSSL_CTX_set_ephemeral_key(WOLFSSL_CTX* ctx, int keyAlgo,
     }
 
     return SetStaticEphemeralKey(&ctx->staticKE, keyAlgo, key, keySz, format, 
-        ctx->heap, NULL);
+        ctx->heap);
 }
 int wolfSSL_set_ephemeral_key(WOLFSSL* ssl, int keyAlgo, 
     const char* key, unsigned int keySz, int format)
@@ -53160,7 +53161,7 @@ int wolfSSL_set_ephemeral_key(WOLFSSL* ssl, int keyAlgo,
     }
 
     return SetStaticEphemeralKey(&ssl->staticKE, keyAlgo, key, keySz, format, 
-        ssl->heap, ssl->ctx);
+        ssl->heap);
 }
 
 static int GetStaticEphemeralKey(StaticKeyExchangeInfo_t* staticKE, int keyAlgo, 
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 9213486ef..4f1a6ddc0 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -10729,7 +10729,7 @@ void FreeDer(DerBuffer** pDer)
         DerBuffer* der = (DerBuffer*)*pDer;
 
         /* ForceZero private keys */
-        if (der->type == PRIVATEKEY_TYPE) {
+        if (der->type == PRIVATEKEY_TYPE && der->buffer != NULL) {
             ForceZero(der->buffer, der->length);
         }
         der->buffer = NULL;
diff --git a/wolfssl/internal.h b/wolfssl/internal.h
index 00bf17de9..57099e408 100644
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -2745,6 +2745,13 @@ typedef struct {
 #endif
 #ifdef HAVE_ECC
     DerBuffer* ecKey;
+#endif
+    /* bits */
+#ifndef NO_DH
+    byte weOwnDH:1;
+#endif
+#ifdef HAVE_ECC
+    byte weOwnEC:1;
 #endif
 } StaticKeyExchangeInfo_t;
 #endif