diff --git a/http/app.hpp b/http/app.hpp
index 29cb4de..b5f5c13 100644
--- a/http/app.hpp
+++ b/http/app.hpp
@@ -83,6 +83,16 @@
         router.validate();
     }
 
+    void loadCertificate()
+    {
+        BMCWEB_LOG_DEBUG("Loading certificate");
+        if (!server)
+        {
+            return;
+        }
+        server->loadCertificate();
+    }
+
     std::optional<boost::asio::ip::tcp::acceptor> setupSocket()
     {
         if (io == nullptr)
diff --git a/http/http_connection.hpp b/http/http_connection.hpp
index 2050afd..e591455 100644
--- a/http/http_connection.hpp
+++ b/http/http_connection.hpp
@@ -63,18 +63,13 @@
   public:
     Connection(Handler* handlerIn, boost::asio::steady_timer&& timerIn,
                std::function<std::string()>& getCachedDateStrF,
-               Adaptor adaptorIn) :
+               Adaptor&& adaptorIn) :
         adaptor(std::move(adaptorIn)),
         handler(handlerIn), timer(std::move(timerIn)),
         getCachedDateStr(getCachedDateStrF)
     {
         initParser();
 
-        if constexpr (BMCWEB_MUTUAL_TLS_AUTH)
-        {
-            prepareMutualTls();
-        }
-
         connectionCount++;
 
         BMCWEB_LOG_DEBUG("{} Connection created, total {}", logPtr(this),
@@ -99,55 +94,61 @@
     bool tlsVerifyCallback(bool preverified,
                            boost::asio::ssl::verify_context& ctx)
     {
-        // We always return true to allow full auth flow for resources that
-        // don't require auth
+        BMCWEB_LOG_DEBUG("{} tlsVerifyCallback called with preverified {}",
+                         logPtr(this), preverified);
         if (preverified)
         {
             mtlsSession = verifyMtlsUser(ip, ctx);
             if (mtlsSession)
             {
-                BMCWEB_LOG_DEBUG("{} Generating TLS session: {}", logPtr(this),
+                BMCWEB_LOG_DEBUG("{} Generated TLS session: {}", logPtr(this),
                                  mtlsSession->uniqueId);
             }
         }
+        const persistent_data::AuthConfigMethods& c =
+            persistent_data::SessionStore::getInstance().getAuthMethodsConfig();
+        if (c.tlsStrict)
+        {
+            return preverified;
+        }
+        // If tls strict mode is disabled
+        // We always return true to allow full auth flow for resources that
+        // don't require auth
         return true;
     }
 
-    void prepareMutualTls()
+    bool prepareMutualTls()
     {
         if constexpr (IsTls<Adaptor>::value)
         {
-            std::error_code error;
-            std::filesystem::path caPath(ensuressl::trustStorePath);
-            auto caAvailable = !std::filesystem::is_empty(caPath, error);
-            caAvailable = caAvailable && !error;
-            if (caAvailable && persistent_data::SessionStore::getInstance()
-                                   .getAuthMethodsConfig()
-                                   .tls)
-            {
-                adaptor.set_verify_mode(boost::asio::ssl::verify_peer);
-                std::string id = "bmcweb";
+            BMCWEB_LOG_DEBUG("prepareMutualTls");
 
-                const char* cStr = id.c_str();
-                // NOLINTNEXTLINE(cppcoreguidelines-pro-type-reinterpret-cast)
-                const auto* idC = reinterpret_cast<const unsigned char*>(cStr);
-                int ret = SSL_set_session_id_context(
-                    adaptor.native_handle(), idC,
-                    static_cast<unsigned int>(id.length()));
-                if (ret == 0)
-                {
-                    BMCWEB_LOG_ERROR("{} failed to set SSL id", logPtr(this));
-                }
+            constexpr std::string_view id = "bmcweb";
+
+            const char* idPtr = id.data();
+            const auto* idCPtr = std::bit_cast<const unsigned char*>(idPtr);
+            auto idLen = static_cast<unsigned int>(id.length());
+            int ret = SSL_set_session_id_context(adaptor.native_handle(),
+                                                 idCPtr, idLen);
+            if (ret == 0)
+            {
+                BMCWEB_LOG_ERROR("{} failed to set SSL id", logPtr(this));
+                return false;
             }
 
-            adaptor.set_verify_callback(
-                std::bind_front(&self_type::tlsVerifyCallback, this));
-        }
-    }
+            BMCWEB_LOG_DEBUG("set_verify_callback");
 
-    Adaptor& socket()
-    {
-        return adaptor;
+            boost::system::error_code ec;
+            adaptor.set_verify_callback(
+                std::bind_front(&self_type::tlsVerifyCallback, this), ec);
+            if (ec)
+            {
+                BMCWEB_LOG_ERROR("Failed to set verify callback {}", ec);
+                return false;
+            }
+        }
+
+        return true;
     }
 
     void start()
@@ -161,6 +162,15 @@
             return;
         }
 
+        if constexpr (BMCWEB_MUTUAL_TLS_AUTH)
+        {
+            if (!prepareMutualTls())
+            {
+                BMCWEB_LOG_ERROR("{} Failed to prepare mTLS", logPtr(this));
+                return;
+            }
+        }
+
         startDeadline();
 
         readClientIp();
@@ -332,6 +342,13 @@
 
     void hardClose()
     {
+        if (mtlsSession != nullptr)
+        {
+            BMCWEB_LOG_DEBUG("{} Removing TLS session: {}", logPtr(this),
+                             mtlsSession->uniqueId);
+            persistent_data::SessionStore::getInstance().removeSession(
+                mtlsSession);
+        }
         BMCWEB_LOG_DEBUG("{} Closing socket", logPtr(this));
         boost::beast::get_lowest_layer(adaptor).close();
     }
@@ -350,13 +367,7 @@
     void gracefulClose()
     {
         BMCWEB_LOG_DEBUG("{} Socket close requested", logPtr(this));
-        if (mtlsSession != nullptr)
-        {
-            BMCWEB_LOG_DEBUG("{} Removing TLS session: {}", logPtr(this),
-                             mtlsSession->uniqueId);
-            persistent_data::SessionStore::getInstance().removeSession(
-                mtlsSession);
-        }
+
         if constexpr (IsTls<Adaptor>::value)
         {
             adaptor.async_shutdown(std::bind_front(
@@ -517,14 +528,14 @@
                 return;
             }
 
-            if constexpr (!std::is_same_v<Adaptor, boost::beast::test::stream>)
+            constexpr bool isTest =
+                std::is_same_v<Adaptor, boost::beast::test::stream>;
+
+            if constexpr (!BMCWEB_INSECURE_DISABLE_AUTH && !isTest)
             {
-                if constexpr (!BMCWEB_INSECURE_DISABLE_AUTH)
-                {
-                    boost::beast::http::verb method = parser->get().method();
-                    userSession = crow::authentication::authenticate(
-                        ip, res, method, parser->get().base(), mtlsSession);
-                }
+                boost::beast::http::verb method = parser->get().method();
+                userSession = crow::authentication::authenticate(
+                    ip, res, method, parser->get().base(), mtlsSession);
             }
 
             std::string_view expect =
diff --git a/http/http_server.hpp b/http/http_server.hpp
index 6d725c9..b22fae2 100644
--- a/http/http_server.hpp
+++ b/http/http_server.hpp
@@ -10,6 +10,7 @@
 #include <boost/asio/ssl/context.hpp>
 #include <boost/asio/ssl/stream.hpp>
 #include <boost/asio/steady_timer.hpp>
+#include <boost/beast/core/stream_traits.hpp>
 
 #include <atomic>
 #include <chrono>
@@ -27,6 +28,8 @@
 template <typename Handler, typename Adaptor = boost::asio::ip::tcp::socket>
 class Server
 {
+    using self_t = Server<Handler, Adaptor>;
+
   public:
     Server(Handler* handlerIn, boost::asio::ip::tcp::acceptor&& acceptorIn,
            std::shared_ptr<boost::asio::ssl::context> adaptorCtxIn,
@@ -100,14 +103,6 @@
                 {
                     BMCWEB_LOG_INFO("Receivied reload signal");
                     loadCertificate();
-                    boost::system::error_code ec2;
-                    acceptor.cancel(ec2);
-                    if (ec2)
-                    {
-                        BMCWEB_LOG_ERROR(
-                            "Error while canceling async operations:{}",
-                            ec2.message());
-                    }
                     startAsyncWaitForSignal();
                 }
                 else
@@ -122,16 +117,20 @@
     {
         ioService->stop();
     }
+    using Socket = boost::beast::lowest_layer_type<Adaptor>;
+    using SocketPtr = std::unique_ptr<Socket>;
 
-    void doAccept()
+    void afterAccept(SocketPtr socket, const boost::system::error_code& ec)
     {
-        if (ioService == nullptr)
+        if (ec)
         {
-            BMCWEB_LOG_CRITICAL("IoService was null");
+            BMCWEB_LOG_ERROR("Failed to accept socket {}", ec);
             return;
         }
+
         boost::asio::steady_timer timer(*ioService);
         std::shared_ptr<Connection<Adaptor, Handler>> connection;
+
         if constexpr (std::is_same<Adaptor,
                                    boost::asio::ssl::stream<
                                        boost::asio::ip::tcp::socket>>::value)
@@ -144,24 +143,36 @@
             }
             connection = std::make_shared<Connection<Adaptor, Handler>>(
                 handler, std::move(timer), getCachedDateStr,
-                Adaptor(*ioService, *adaptorCtx));
+                Adaptor(std::move(*socket), *adaptorCtx));
         }
         else
         {
             connection = std::make_shared<Connection<Adaptor, Handler>>(
                 handler, std::move(timer), getCachedDateStr,
-                Adaptor(*ioService));
+                Adaptor(std::move(*socket)));
         }
+
+        boost::asio::post(*ioService, [connection] { connection->start(); });
+
+        doAccept();
+    }
+
+    void doAccept()
+    {
+        if (ioService == nullptr)
+        {
+            BMCWEB_LOG_CRITICAL("IoService was null");
+            return;
+        }
+
+        SocketPtr socket = std::make_unique<Socket>(*ioService);
+        // Keep a raw pointer so when the socket is moved, the pointer is still
+        // valid
+        Socket* socketPtr = socket.get();
+
         acceptor.async_accept(
-            boost::beast::get_lowest_layer(connection->socket()),
-            [this, connection](const boost::system::error_code& ec) {
-            if (!ec)
-            {
-                boost::asio::post(*ioService,
-                                  [connection] { connection->start(); });
-            }
-            doAccept();
-        });
+            *socketPtr,
+            std::bind_front(&self_t::afterAccept, this, std::move(socket)));
     }
 
   private: