7 files changed, 91 insertions, 6 deletions
diff --git a/docs/man/CMakeLists.txt b/docs/man/CMakeLists.txt
index 5381f1e5..77efa1c8 100644
--- a/docs/man/CMakeLists.txt
+++ b/docs/man/CMakeLists.txt
@@ -297,6 +297,7 @@ if (NNG_ENABLE_DOC)
 	nng_tls_config_ca_file
 	nng_tls_config_cert_key_file
 	nng_tls_config_free
+	nng_tls_config_hold
 	nng_tls_config_own_cert
 	nng_tls_config_server_name
     )
diff --git a/docs/man/nng_http_client_get_tls.3http.adoc b/docs/man/nng_http_client_get_tls.3http.adoc
index 38c59ea5..53e4f426 100644
--- a/docs/man/nng_http_client_get_tls.3http.adoc
+++ b/docs/man/nng_http_client_get_tls.3http.adoc
@@ -28,8 +28,12 @@ int nng_http_client_get_tls(nng_http_client *client, nng_tls_config **cfgp);
 The `nng_http_client_get_tls()` obtains the TLS configuration of _client_ and
 saves a pointer to it in the address referenced by _cfgp_.
 
-The configuration will be `NULL` if the HTTP client instance is not enabled
-to use HTTPS.
+The object will be returned with an extra hold (see
+`<<nng_tls_config_hold.3tls#,nng_tls_config_hold()>>`)
+placed on it on behalf of the caller.
+The caller should free this hold by calling
+`<<nng_tls_config_free.3tls#,nng_tls_config_free()>>` with it is done
+with the TLS configuration.
 
 == RETURN VALUES
 
@@ -38,6 +42,7 @@ This function returns 0 on success, and non-zero otherwise.
 == ERRORS
 
 [horizontal]
+`NNG_EINVAL`:: TLS not configured on client.
 `NNG_ENOMEM`:: Insufficient free memory exists.
 `NNG_ENOTSUP`:: Either HTTP or TLS not supported.
 
@@ -48,5 +53,7 @@ This function returns 0 on success, and non-zero otherwise.
 <<nng_http_client_connect.3http#,nng_http_client_connect(3http)>>,
 <<nng_http_client_set_tls.3http#,nng_http_client_set_tls(3http)>>,
 <<nng_tls_config_alloc.3tls#,nng_tls_config_alloc(3tls)>>,
+<<nng_tls_config_free.3tls#,nng_tls_config_free(3tls)>>,
+<<nng_tls_config_hold.3tls#,nng_tls_config_hold(3tls)>>,
 <<nng_strerror.3#,nng_strerror(3)>>,
 <<nng.7#,nng(7)>>
diff --git a/docs/man/nng_http_server_get_tls.3http.adoc b/docs/man/nng_http_server_get_tls.3http.adoc
index ec3953e8..e252f46c 100644
--- a/docs/man/nng_http_server_get_tls.3http.adoc
+++ b/docs/man/nng_http_server_get_tls.3http.adoc
@@ -28,8 +28,12 @@ int nng_http_server_get_tls(nng_http_server *s, nng_tls_config **cfgp);
 The `nng_http_server_get_tls()` obtains the TLS configuration of server _s_ and
 saves a pointer to it in the address referenced by _cfgp_.
 
-The configuration will be `NULL` if the HTTP server instance is not enabled
-to use HTTPS.
+The object will be returned with an extra hold (see
+`<<nng_tls_config_hold.3tls#,nng_tls_config_hold()>>`)
+placed on it on behalf of the caller.
+The caller should free this hold by calling
+`<<nng_tls_config_free.3tls#,nng_tls_config_free()>>` with it is done
+with the TLS configuration.
 
 == RETURN VALUES
 
@@ -38,6 +42,7 @@ This function returns 0 on success, and non-zero otherwise.
 == ERRORS
 
 [horizontal]
+`NNG_EINVAL`:: TLS not configured on server.
 `NNG_ENOMEM`:: Insufficient free memory exists.
 `NNG_ENOTSUP`:: Either HTTP or TLS not supported.
 
@@ -48,5 +53,7 @@ This function returns 0 on success, and non-zero otherwise.
 <<nng_http_server_set_tls.3http#,nng_http_server_set_tls(3http)>>,
 <<nng_http_server_start.3http#,nng_http_server_start(3http)>>,
 <<nng_tls_config_alloc.3tls#,nng_tls_config_alloc(3tls)>>,
+<<nng_tls_config_free.3tls#,nng_tls_config_free(3tls)>>,
+<<nng_tls_config_hold.3tls#,nng_tls_config_hold(3tls)>>,
 <<nng_strerror.3#,nng_strerror(3)>>,
 <<nng.7#,nng(7)>>
diff --git a/docs/man/nng_tls.7.adoc b/docs/man/nng_tls.7.adoc
index 43c5a913..59aa77f2 100644
--- a/docs/man/nng_tls.7.adoc
+++ b/docs/man/nng_tls.7.adoc
@@ -139,6 +139,12 @@ The value is of type `bool` and defaults to `true`.
 This option is used on an endpoint to access the underlying TLS
 configuration object.
 The value is of type `nng_tls_config *`.
+If the value is not `NULL`, a hold is placed on the underlying
+configuration object before returning it (see
+`<<nng_tls_config_hold.3tls#,nng_tls_config_hold()>>`).
+The caller should release the object with
+`<<nng_tls_config_free.3tls#,nng_tls_config_free()>>` when it no
+longer needs the TLS configuration object.
 
 TIP: Use this option when advanced TLS configuration is required.
 
diff --git a/docs/man/nng_tls_config_alloc.3tls.adoc b/docs/man/nng_tls_config_alloc.3tls.adoc
index 92ed5d41..edbf1c1e 100644
--- a/docs/man/nng_tls_config_alloc.3tls.adoc
+++ b/docs/man/nng_tls_config_alloc.3tls.adoc
@@ -47,7 +47,14 @@ or services.
 The underlying system uses reference counting to ensure
 that object is not inadvertently freed while in use.
 
-Also note that a TLS configuration object becomes "read-only" after it
+A configuration object created with `nng_tls_config_alloc()` starts
+with a reference count of one.
+The reference count may be incremented using
+`<<nng_tls_config_hold.3tls#,nng_tls_config_hold()>>` and may be
+decremented with
+`<<nng_tls_config_free.3tls#,nng_tls_config_free()>>`.
+
+Also note that a TLS configuration object becomes "`read-only`" after it
 is first used with a service.
 After this points, attempts to apply
 further changes to the configuration will result in `NNG_EBUSY`.
@@ -71,5 +78,6 @@ This function returns 0 on success, and non-zero otherwise.
 <<nng_tls_config_ca_chain.3tls#,nng_tls_config_ca_chain(3tls)>>,
 <<nng_tls_config_own_cert.3tls#,nng_tls_config_own_cert(3tls)>>,
 <<nng_tls_config_free.3tls#,nng_tls_config_free(3tls)>>,
+<<nng_tls_config_hold.3tls#,nng_tls_config_hold(3tls)>>,
 <<nng_tls_config_server_name.3tls#,nng_tls_config_server_name(3tls)>>,
 <<nng.7#,nng(7)>>
diff --git a/docs/man/nng_tls_config_hold.3tls.adoc b/docs/man/nng_tls_config_hold.3tls.adoc
new file mode 100644
index 00000000..0461a862
--- /dev/null
+++ b/docs/man/nng_tls_config_hold.3tls.adoc
@@ -0,0 +1,50 @@
+= nng_tls_config_hold(3tls)
+//
+// Copyright 2018 Staysail Systems, Inc. <info@staysail.tech>
+//
+// This document is supplied under the terms of the MIT License, a
+// copy of which should be located in the distribution where this
+// file was obtained (LICENSE.txt).  A copy of the license may also be
+// found online at https://opensource.org/licenses/MIT.
+//
+
+== NAME
+
+nng_tls_config_hold - hold TLS configuration object
+
+== SYNOPSIS
+
+[source, c]
+----
+#include <nng/nng.h>
+#include <nng/supplemental/tls/tls.h>
+
+void nng_tls_config_alloc(nng_tls_config *cfg);
+----
+
+== DESCRIPTION
+
+The `nng_tls_config_hold()` increments the reference count on
+the configuration object named by _cfg_, thereby preventing it
+from being freed while in use.
+
+The hold can be released by calling
+`<<nng_tls_config_free.3tls#,nng_tls_config_free()>>`.
+
+Multiple holds can be placed on a configuration object; the object
+will not be freed until the last hold is released.
+
+== RETURN VALUES
+
+None.
+
+== ERRORS
+
+None.
+
+== SEE ALSO
+
+[.text-left]
+<<nng_tls_config_alloc.3tls#,nng_tls_config_alloc(3tls)>>,
+<<nng_tls_config_free.3tls#,nng_tls_config_free(3tls)>>,
+<<nng.7#,nng(7)>>
diff --git a/docs/man/nng_ws.7.adoc b/docs/man/nng_ws.7.adoc
index 1aede210..9d4ef497 100644
--- a/docs/man/nng_ws.7.adoc
+++ b/docs/man/nng_ws.7.adoc
@@ -129,8 +129,14 @@ This option can be set on listeners, and retrieved from pipes.
 ((`NNG_OPT_TLS_CONFIG`))::
 
 (opaque) This option is used on an endpoint to access the underlying TLS
-configuration object.
+configuration object for `wss://` endpoints.
 The value is of type `nng_tls_config *`.
+A hold is placed on the underlying
+configuration object before returning it (see
+`<<nng_tls_config_hold.3tls#,nng_tls_config_hold()>>`).
+The caller should release the object with
+`<<nng_tls_config_free.3tls#,nng_tls_config_free()>>` when it no
+longer needs the TLS configuration.
 
 TIP: Use this option when advanced TLS configuration is required.