1 files changed, 11 insertions, 12 deletions

diff --git a/tls.c b/tls.c
index 90458c4..26adb2b 100644
--- a/tls.c
+++ b/tls.c
@@ -609,14 +609,6 @@ tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify)
 	if (ctx->config->verify_cert == 0)
 		goto done;
 
-	/* If no CA has been specified, attempt to load the default. */
-	if (ctx->config->ca_mem == NULL && ctx->config->ca_path == NULL) {
-		if (tls_config_load_file(&ctx->error, "CA", tls_default_ca_cert_file(),
-		    &ca_mem, &ca_len) != 0)
-			goto err;
-		ca_free = ca_mem;
-	}
-
 	if (ca_mem != NULL) {
 		if (ca_len > INT_MAX) {
 			tls_set_errorx(ctx, "ca too long");
@@ -626,10 +618,17 @@ tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify)
 			tls_set_errorx(ctx, "ssl verify memory setup failure");
 			goto err;
 		}
-	} else if (SSL_CTX_load_verify_locations(ssl_ctx, NULL,
-	    ctx->config->ca_path) != 1) {
-		tls_set_errorx(ctx, "ssl verify locations failure");
-		goto err;
+	} else if (ctx->config->ca_path != NULL) {
+		if (SSL_CTX_load_verify_locations(ssl_ctx, NULL,
+			ctx->config->ca_path) != 1) {
+			tls_set_errorx(ctx, "ssl verify locations failure");
+			goto err;
+		}
+	} else {
+		if (SSL_CTX_set_default_verify_paths(ssl_ctx) != 1) {
+			tls_set_errorx(ctx, "ssl verify locations failure");
+			goto err;
+		}
 	}
 
 	if (crl_mem != NULL) {