diff --git a/src/quic/outgoing.rs b/src/quic/outgoing.rs
index 0036917..c47a4da 100644
--- a/src/quic/outgoing.rs
+++ b/src/quic/outgoing.rs
@@ -7,9 +7,9 @@ use crate::{
 use anyhow::Result;
 use log::trace;
 
-pub async fn quic_connect(target: SocketAddr, server_name: &str, config: OutgoingVerifierConfig) -> Result<(StanzaWrite, StanzaRead)> {
+pub async fn quic_connect(target: SocketAddr, server_name: &str, config: &OutgoingVerifierConfig) -> Result<(StanzaWrite, StanzaRead)> {
     let bind_addr = "0.0.0.0:0".parse().unwrap();
-    let client_cfg = config.config_alpn;
+    let client_cfg = config.config_alpn.clone();
 
     let mut endpoint = quinn::Endpoint::client(bind_addr)?;
     endpoint.set_default_client_config(quinn::ClientConfig::new(client_cfg));
diff --git a/src/srv.rs b/src/srv.rs
index de70c30..fa1dfc3 100644
--- a/src/srv.rs
+++ b/src/srv.rs
@@ -190,7 +190,7 @@ impl XmppConnection {
         stream_open: &[u8],
         in_filter: &mut StanzaFilter,
         client_addr: &mut Context<'_>,
-        config: OutgoingVerifierConfig,
+        config: &OutgoingVerifierConfig,
     ) -> Result<(StanzaWrite, StanzaRead, SocketAddr, &'static str)> {
         debug!("{} attempting connection to SRV: {:?}", client_addr.log_from(), self);
         // todo: for DNSSEC we need to optionally allow target in addition to domain, but what for SNI
@@ -207,28 +207,28 @@ impl XmppConnection {
             debug!("{} trying ip {}", client_addr.log_from(), to_addr);
             match self.conn_type {
                 #[cfg(feature = "tls")]
-                XmppConnectionType::StartTLS => match crate::tls::outgoing::starttls_connect(to_addr, domain, stream_open, in_filter, config.clone()).await {
+                XmppConnectionType::StartTLS => match crate::tls::outgoing::starttls_connect(to_addr, domain, stream_open, in_filter, config).await {
                     Ok((wr, rd)) => return Ok((wr, rd, to_addr, "starttls-out")),
                     Err(e) => error!("starttls connection failed to IP {} from SRV {}, error: {}", to_addr, self.target, e),
                 },
                 #[cfg(feature = "tls")]
-                XmppConnectionType::DirectTLS => match crate::tls::outgoing::tls_connect(to_addr, domain, config.clone()).await {
+                XmppConnectionType::DirectTLS => match crate::tls::outgoing::tls_connect(to_addr, domain, config).await {
                     Ok((wr, rd)) => return Ok((wr, rd, to_addr, "directtls-out")),
                     Err(e) => error!("direct tls connection failed to IP {} from SRV {}, error: {}", to_addr, self.target, e),
                 },
                 #[cfg(feature = "quic")]
-                XmppConnectionType::QUIC => match crate::quic::outgoing::quic_connect(to_addr, domain, config.clone()).await {
+                XmppConnectionType::QUIC => match crate::quic::outgoing::quic_connect(to_addr, domain, config).await {
                     Ok((wr, rd)) => return Ok((wr, rd, to_addr, "quic-out")),
                     Err(e) => error!("quic connection failed to IP {} from SRV {}, error: {}", to_addr, self.target, e),
                 },
                 #[cfg(feature = "websocket")]
                 // todo: when websocket is found via DNS, we need to validate cert against domain, *not* target, this is a security problem with XEP-0156, we are doing it the secure but likely unexpected way here for now
-                XmppConnectionType::WebSocket(ref url, ref origin) => match crate::websocket::outgoing::websocket_connect(to_addr, domain, url, origin, config.clone()).await {
+                XmppConnectionType::WebSocket(ref url, ref origin) => match crate::websocket::outgoing::websocket_connect(to_addr, domain, url, origin, config).await {
                     Ok((wr, rd)) => return Ok((wr, rd, to_addr, "websocket-out")),
                     Err(e) => {
                         if self.secure && self.target != orig_domain {
                             // https is a special case, as target is sent in the Host: header, so we have to literally try twice in case this is set for the other on the server
-                            match crate::websocket::outgoing::websocket_connect(to_addr, orig_domain, url, origin, config.clone()).await {
+                            match crate::websocket::outgoing::websocket_connect(to_addr, orig_domain, url, origin, config).await {
                                 Ok((wr, rd)) => return Ok((wr, rd, to_addr, "websocket-out")),
                                 Err(e2) => error!("websocket connection failed to IP {} from TXT {}, error try 1: {}, error try 2: {}", to_addr, url, e, e2),
                             }
@@ -466,7 +466,7 @@ pub async fn srv_connect(
     let (srvs, cert_verifier) = get_xmpp_connections(domain, is_c2s).await?;
     let config = config.with_custom_certificate_verifier(is_c2s, Arc::new(cert_verifier));
     for srv in srvs {
-        let connect = srv.connect(domain, stream_open, in_filter, client_addr, config.clone()).await;
+        let connect = srv.connect(domain, stream_open, in_filter, client_addr, &config).await;
         if connect.is_err() {
             continue;
         }
diff --git a/src/tls/outgoing.rs b/src/tls/outgoing.rs
index 6b62d78..379cf21 100644
--- a/src/tls/outgoing.rs
+++ b/src/tls/outgoing.rs
@@ -9,7 +9,7 @@ use rustls::ServerName;
 use std::{convert::TryFrom, net::SocketAddr};
 use tokio::io::AsyncWriteExt;
 
-pub async fn tls_connect(target: SocketAddr, server_name: &str, config: OutgoingVerifierConfig) -> Result<(StanzaWrite, StanzaRead)> {
+pub async fn tls_connect(target: SocketAddr, server_name: &str, config: &OutgoingVerifierConfig) -> Result<(StanzaWrite, StanzaRead)> {
     let dnsname = ServerName::try_from(server_name)?;
     let stream = tokio::net::TcpStream::connect(target).await?;
     let stream = config.connector_alpn.connect(dnsname, stream).await?;
@@ -17,7 +17,7 @@ pub async fn tls_connect(target: SocketAddr, server_name: &str, config: Outgoing
     Ok((StanzaWrite::new(wrt), StanzaRead::new(rd)))
 }
 
-pub async fn starttls_connect(target: SocketAddr, server_name: &str, stream_open: &[u8], in_filter: &mut StanzaFilter, config: OutgoingVerifierConfig) -> Result<(StanzaWrite, StanzaRead)> {
+pub async fn starttls_connect(target: SocketAddr, server_name: &str, stream_open: &[u8], in_filter: &mut StanzaFilter, config: &OutgoingVerifierConfig) -> Result<(StanzaWrite, StanzaRead)> {
     let dnsname = ServerName::try_from(server_name)?;
     let mut stream = tokio::net::TcpStream::connect(target).await?;
     let (in_rd, mut in_wr) = stream.split();
diff --git a/src/websocket/outgoing.rs b/src/websocket/outgoing.rs
index bfa8670..f06cbb5 100644
--- a/src/websocket/outgoing.rs
+++ b/src/websocket/outgoing.rs
@@ -15,7 +15,7 @@ use tokio_tungstenite::tungstenite::{
     },
 };
 
-pub async fn websocket_connect(target: SocketAddr, server_name: &str, url: &Uri, origin: &str, config: OutgoingVerifierConfig) -> Result<(StanzaWrite, StanzaRead)> {
+pub async fn websocket_connect(target: SocketAddr, server_name: &str, url: &Uri, origin: &str, config: &OutgoingVerifierConfig) -> Result<(StanzaWrite, StanzaRead)> {
     let mut request = url.into_client_request()?;
     request.headers_mut().append(SEC_WEBSOCKET_PROTOCOL, "xmpp".parse()?);
     request.headers_mut().append(ORIGIN, origin.parse()?);