diff --git a/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp b/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp
index 276514ab9..3fc7ff093 100644
--- a/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp
+++ b/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp
@@ -91,12 +91,16 @@ WiFiClientSecure::WiFiClientSecure() : WiFiClient() {
   _clear();
   _clearAuthenticationSettings();
   _certStore = nullptr; // Don't want to remove cert store on a clear, should be long lived
+  _ensureStackAvailable();
+  _local_bearssl_stack = _bearssl_stack;
+}
+
+void WiFiClientSecure::_ensureStackAvailable() {
   if (!_bearssl_stack) {
     const int stacksize = 4500; // Empirically determined stack for EC and RSA connections
     _bearssl_stack = std::shared_ptr<uint8_t>(new uint8_t[stacksize], std::default_delete<uint8_t[]>());
     br_esp8266_stack_proxy_init(_bearssl_stack.get(), stacksize);
   }
-  _local_bearssl_stack = _bearssl_stack;
 }
 
 WiFiClientSecure::~WiFiClientSecure() {
@@ -106,7 +110,11 @@ WiFiClientSecure::~WiFiClientSecure() {
   }
   free(_cipher_list);
   _freeSSL();
-  _local_bearssl_stack = nullptr; // Potentially delete it if we're the last SSL object
+  _local_bearssl_stack = nullptr;
+  // If there are no other uses than the initial creation, free the stack
+  if (_bearssl_stack.use_count() == 1) {
+    _bearssl_stack = nullptr;
+  }
   if (_deleteChainKeyTA) {
     delete _ta;
     delete _chain;
@@ -119,6 +127,8 @@ WiFiClientSecure::WiFiClientSecure(ClientContext* client,
                                      int iobuf_in_size, int iobuf_out_size, const BearSSLX509List *client_CA_ta) {
   _clear();
   _clearAuthenticationSettings();
+  _ensureStackAvailable();
+  _local_bearssl_stack = _bearssl_stack;
   _iobuf_in_size = iobuf_in_size;
   _iobuf_out_size = iobuf_out_size;
   _client = client;
@@ -136,6 +146,8 @@ WiFiClientSecure::WiFiClientSecure(ClientContext *client,
                                      int iobuf_in_size, int iobuf_out_size, const BearSSLX509List *client_CA_ta) {
   _clear();
   _clearAuthenticationSettings();
+  _ensureStackAvailable();
+  _local_bearssl_stack = _bearssl_stack;
   _iobuf_in_size = iobuf_in_size;
   _iobuf_out_size = iobuf_out_size;
   _client = client;
diff --git a/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.h b/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.h
index af32a38ee..143258276 100644
--- a/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.h
+++ b/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.h
@@ -229,6 +229,7 @@ class WiFiClientSecure : public WiFiClient {
   private:
     // Single memory buffer used for BearSSL auxilliary stack, insead of growing main Arduino stack for all apps
     static std::shared_ptr<uint8_t> _bearssl_stack;
+    void _ensureStackAvailable(); // Allocate the stack if necessary
     // The local copy, only used to enable a reference count
     std::shared_ptr<uint8_t> _local_bearssl_stack;
 };