diff --git a/lib/ngx/balancer.lua b/lib/ngx/balancer.lua
index 1c72e1500..6fdb33243 100644
--- a/lib/ngx/balancer.lua
+++ b/lib/ngx/balancer.lua
@@ -21,6 +21,7 @@ local subsystem = ngx.config.subsystem
 local ngx_lua_ffi_balancer_set_current_peer
 local ngx_lua_ffi_balancer_set_more_tries
 local ngx_lua_ffi_balancer_get_last_failure
+local ngx_lua_ffi_balancer_set_ssl_ctx
 local ngx_lua_ffi_balancer_set_timeouts -- used by both stream and http
 
 
@@ -35,6 +36,9 @@ if subsystem == 'http' then
     int ngx_http_lua_ffi_balancer_get_last_failure(ngx_http_request_t *r,
         int *status, char **err);
 
+    int ngx_http_lua_ffi_balancer_set_ssl_ctx(ngx_http_request_t *r,
+        void* ssl_ctx, char **err);
+
     int ngx_http_lua_ffi_balancer_set_timeouts(ngx_http_request_t *r,
         long connect_timeout, long send_timeout,
         long read_timeout, char **err);
@@ -49,6 +53,9 @@ if subsystem == 'http' then
     ngx_lua_ffi_balancer_get_last_failure =
         C.ngx_http_lua_ffi_balancer_get_last_failure
 
+    ngx_lua_ffi_balancer_set_ssl_ctx =
+        C.ngx_http_lua_ffi_balancer_set_ssl_ctx
+
     ngx_lua_ffi_balancer_set_timeouts =
         C.ngx_http_lua_ffi_balancer_set_timeouts
 
@@ -163,6 +170,27 @@ function _M.get_last_failure()
 end
 
 
+if subsystem == 'http' then
+    function _M.set_ssl_ctx(ssl_ctx)
+        local r = getfenv(0).__ngx_req
+        if not r then
+            error("no request found")
+        end
+
+        if type(ssl_ctx) ~= "cdata" then
+            error("ssl context must be an ffi pointer")
+        end
+
+        local state = ngx_lua_ffi_balancer_set_ssl_ctx(r, ssl_ctx, errmsg)
+
+        if state == FFI_ERROR then
+            return false, ffi_str(errmsg[0])
+        end
+        return true
+    end
+end
+
+
 function _M.set_timeouts(connect_timeout, send_timeout, read_timeout)
     local r = getfenv(0).__ngx_req
     if not r then
diff --git a/lib/ngx/balancer.md b/lib/ngx/balancer.md
index b2f852be1..710888cc4 100644
--- a/lib/ngx/balancer.md
+++ b/lib/ngx/balancer.md
@@ -207,6 +207,18 @@ method always returns a single `nil` value.
 
 [Back to TOC](#table-of-contents)
 
+set_ssl_ctx
+----------------
+**syntax:** *ok, err = balancer.set_ssl_ctx(ssl_ctx)*
+
+**context:** *balancer_by_lua&#42;*
+
+Set the OpenSSL `SSL_CTX*` used to negotiate with the upstream. `ssl_ctx` should be an FFI pointer to a valid `SSL_CTX`. The reference count of the `SSL_CTX*` is incremented, so it is safe to free your reference to the object.
+
+This function does not exist in the stream module.
+
+[Back to TOC](#table-of-contents)
+
 set_timeouts
 ------------
 **syntax:** `ok, err = balancer.set_timeouts(connect_timeout, send_timeout, read_timeout)`