--- a/netsurf/content/fetchers/curl.c
+++ b/netsurf/content/fetchers/curl.c
@@ -128,6 +128,26 @@
 static char fetch_proxy_userpwd[100];
 
 
+/* OpenSSL 1.0.x to 1.1.0 certificate reference counting changed */
+#if (OPENSSL_VERSION_NUMBER < 0x1010000fL)
+static int ns_X509_up_ref(X509 *cert)
+{
+	cert->references++;
+	return 1;
+}
+
+static void ns_X509_free(X509 *cert)
+{
+	cert->references--;
+	if (cert->references == 0) {
+		X509_free(cert);
+	}
+}
+#else
+#define ns_X509_up_ref X509_up_ref
+#define ns_X509_free X509_free
+#endif
+
 /**
  * Initialise a cURL fetcher.
  */
@@ -438,7 +458,7 @@
 	 */
 	if (!fetch->cert_data[depth].cert) {
 		fetch->cert_data[depth].cert = X509_STORE_CTX_get_current_cert(x509_ctx);
-		fetch->cert_data[depth].cert->references++;
+		ns_X509_up_ref(fetch->cert_data[depth].cert);
 		fetch->cert_data[depth].err = X509_STORE_CTX_get_error(x509_ctx);
 	}
 
@@ -815,10 +835,7 @@
 	}
 
 	for (i = 0; i < MAX_CERTS && f->cert_data[i].cert; i++) {
-		f->cert_data[i].cert->references--;
-		if (f->cert_data[i].cert->references == 0) {
-			X509_free(f->cert_data[i].cert);
-		}
+		ns_X509_free(f->cert_data[i].cert);
 	}
 
 	free(f);
@@ -986,10 +1003,7 @@
 					      X509_get_pubkey(certs[depth].cert));
 
 		/* and clean up */
-		certs[depth].cert->references--;
-		if (certs[depth].cert->references == 0) {
-			X509_free(certs[depth].cert);
-		}
+		ns_X509_free(certs[depth].cert);
 	}
 
 	msg.type = FETCH_CERT_ERR;