diff --git a/lib/auth/middleware.go b/lib/auth/middleware.go
index ccfb5e2cfcf02..1d14e693d5279 100644
--- a/lib/auth/middleware.go
+++ b/lib/auth/middleware.go
@@ -211,7 +211,7 @@ func NewTLSServer(ctx context.Context, cfg TLSServerConfig) (*TLSServer, error)
 	}
 
 	server.clientTLSConfigGenerator, err = NewClientTLSConfigGenerator(ClientTLSConfigGeneratorConfig{
-		TLS:                  server.cfg.TLS,
+		TLS:                  server.cfg.TLS.Clone(),
 		ClusterName:          localClusterName.GetClusterName(),
 		PermitRemoteClusters: true,
 		AccessPoint:          server.cfg.AccessPoint,
diff --git a/lib/service/service.go b/lib/service/service.go
index 28ee71b121e5d..e5bb0b6ce64bb 100644
--- a/lib/service/service.go
+++ b/lib/service/service.go
@@ -4326,7 +4326,7 @@ func (process *TeleportProcess) initProxyEndpoint(conn *Connector) error {
 
 	// clientTLSConfigGenerator pre-generates specialized per-cluster client TLS config values
 	clientTLSConfigGenerator, err := auth.NewClientTLSConfigGenerator(auth.ClientTLSConfigGeneratorConfig{
-		TLS:                  tlscfg,
+		TLS:                  tlscfg.Clone(),
 		ClusterName:          clusterName,
 		PermitRemoteClusters: true,
 		AccessPoint:          accessPoint,