diff --git a/library/legacy_auth.c b/library/legacy_auth.c
index 7c3cb2c2..ad544165 100644
--- a/library/legacy_auth.c
+++ b/library/legacy_auth.c
@@ -82,6 +82,7 @@ ziti_auth_method_t *new_legacy_auth(uv_loop_t *loop, const char *url, tls_contex
     auth->has_x509 = x509;
 
     tlsuv_http_init(loop, &auth->http, url);
+    tlsuv_http_connect_timeout(&auth->http, 10 * 1000);
     tlsuv_http_set_ssl(&auth->http, tls);
     uv_timer_init(loop, &auth->timer);
     AUTH_LOG(DEBUG, "method initialized");
diff --git a/library/oidc.c b/library/oidc.c
index 5047c33a..926cafd3 100644
--- a/library/oidc.c
+++ b/library/oidc.c
@@ -179,6 +179,7 @@ int oidc_client_configure(oidc_client_t *clt, oidc_config_cb cb) {
         clt->need_refresh = true;
     }
 
+    uv_timer_stop(clt->timer);
     clt->configuring = true;
     clt->config_cb = cb;
     json_object_put(clt->config);
@@ -640,10 +641,9 @@ static void refresh_time_cb(uv_timer_t *t) {
     }
 
     OIDC_LOG(DEBUG, "refreshing OIDC token");
-    assert(clt->config);
     json_object *tok = json_object_object_get(clt->tokens, "refresh_token");
-    if (tok == NULL) {
-        OIDC_LOG(DEBUG, "must restart authentication flow: no refresh_token");
+    if (clt->config == NULL || tok == NULL) {
+        OIDC_LOG(DEBUG, "must restart authentication flow: no configuration or refresh_token");
         oidc_client_start(clt, clt->token_cb);
         return;
     }
diff --git a/library/ziti.c b/library/ziti.c
index 36e65565..bee59c58 100644
--- a/library/ziti.c
+++ b/library/ziti.c
@@ -537,6 +537,11 @@ static void ziti_stop_internal(ziti_context ztx, void *data) {
         ziti_set_unauthenticated(ztx, NULL);
         update_ctrl_status(ztx, ZITI_DISABLED, ziti_errorstr(ZITI_DISABLED));
         ztx->enabled = false;
+        ziti_ctrl_close(ztx_get_controller(ztx));
+        if (ztx->tlsCtx) {
+            ztx->tlsCtx->free_ctx(ztx->tlsCtx);
+            ztx->tlsCtx = NULL;
+        }
 
         if (ztx->closing) {
             shutdown_and_free(ztx);
@@ -921,12 +926,19 @@ void ziti_dump(ziti_context ztx, int (*printer)(void *arg, const char *fmt, ...)
                 ztx->auth_state);
 
         if (ztx->auth_method->kind == OIDC) {
-            printer(ctx, "Session Token: %s", jwt_payload(ztx->session_token));
+            printer(ctx, "Session Token: %s\n", jwt_payload(ztx->session_token));
         }
     } else {
         printer(ctx, "No Session found\n");
     }
 
+    if (ztx->session_creds.cert) {
+        const char *cert_text = ztx->session_creds.cert->get_text(ztx->session_creds.cert);
+        printer(ctx, "\nSession Cert: ====\n");
+        printer(ctx, "%s", cert_text);
+        printer(ctx, "====\n");
+    }
+
     printer(ctx, "\n=================\nExternal Credentials:\n");
     const char *signer_name;
     ziti_jwt_signer *signer;