*** a/src/interfaces/libpq/fe-secure.c
--- b/src/interfaces/libpq/fe-secure.c
***************
*** 669,683 **** client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
  			)
  		{
  			/* Colon, but not in second character, treat as engine:key */
- 			ENGINE	   *engine_ptr;
  			char	   *engine_str = strdup(conn->sslkey);
  			char	   *engine_colon = strchr(engine_str, ':');
  
  			*engine_colon = '\0';		/* engine_str now has engine name */
  			engine_colon++;		/* engine_colon now has key name */
  
! 			engine_ptr = ENGINE_by_id(engine_str);
! 			if (engine_ptr == NULL)
  			{
  				char	   *err = SSLerrmessage();
  
--- 669,682 ----
  			)
  		{
  			/* Colon, but not in second character, treat as engine:key */
  			char	   *engine_str = strdup(conn->sslkey);
  			char	   *engine_colon = strchr(engine_str, ':');
  
  			*engine_colon = '\0';		/* engine_str now has engine name */
  			engine_colon++;		/* engine_colon now has key name */
  
! 			conn->engine = ENGINE_by_id(engine_str);
! 			if (conn->engine == NULL)
  			{
  				char	   *err = SSLerrmessage();
  
***************
*** 690,696 **** client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
  				return 0;
  			}
  
! 			*pkey = ENGINE_load_private_key(engine_ptr, engine_colon,
  											NULL, NULL);
  			if (*pkey == NULL)
  			{
--- 689,710 ----
  				return 0;
  			}
  
! 			if (ENGINE_init(conn->engine) == 0)
! 			{
! 				char	   *err = SSLerrmessage();
! 
! 				printfPQExpBuffer(&conn->errorMessage,
! 					 libpq_gettext("could not initialize SSL engine \"%s\": %s\n"),
! 								  engine_str, err);
! 				SSLerrfree(err);
! 				ENGINE_free(conn->engine);
! 				conn->engine = NULL;
! 				free(engine_str);
! 				ERR_pop_to_mark();
! 				return 0;
! 			}
! 
! 			*pkey = ENGINE_load_private_key(conn->engine, engine_colon,
  											NULL, NULL);
  			if (*pkey == NULL)
  			{
***************
*** 700,705 **** client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
--- 714,722 ----
  								  libpq_gettext("could not read private SSL key \"%s\" from engine \"%s\": %s\n"),
  								  engine_colon, engine_str, err);
  				SSLerrfree(err);
+ 				ENGINE_finish(conn->engine);
+ 				ENGINE_free(conn->engine);
+ 				conn->engine = NULL;
  				free(engine_str);
  				ERR_pop_to_mark();
  				return 0;
***************
*** 1217,1222 **** close_SSL(PGconn *conn)
--- 1234,1246 ----
  		X509_free(conn->peer);
  		conn->peer = NULL;
  	}
+ 
+ 	if (conn->engine)
+ 	{
+ 		ENGINE_finish(conn->engine);
+ 		ENGINE_free(conn->engine);
+ 		conn->engine = NULL;
+ 	}
  }
  
  /*
*** a/src/interfaces/libpq/libpq-int.h
--- b/src/interfaces/libpq/libpq-int.h
***************
*** 383,388 **** struct pg_conn
--- 383,389 ----
  	X509	   *peer;			/* X509 cert of server */
  	char		peer_dn[256 + 1];		/* peer distinguished name */
  	char		peer_cn[SM_USER + 1];	/* peer common name */
+ 	ENGINE	   *engine;			/* SSL engine, if any */
  #endif
  
  #ifdef ENABLE_GSS