diff --git a/lib/tls/lws-genec-common.c b/lib/tls/lws-genec-common.c
index 3be6a2ed1..0df1c8b0f 100644
--- a/lib/tls/lws-genec-common.c
+++ b/lib/tls/lws-genec-common.c
@@ -40,7 +40,7 @@ lws_genec_curve(const struct lws_ec_curves *table, const char *name)
 	return NULL;
 }
 
-extern const struct lws_ec_curves lws_ec_curves[];
+//extern const struct lws_ec_curves *lws_ec_curves;
 
 int
 lws_genec_confirm_curve_allowed_by_tls_id(const char *allowed, int id,
diff --git a/lib/tls/openssl/openssl-server.c b/lib/tls/openssl/openssl-server.c
index fee519012..774a4cdbb 100644
--- a/lib/tls/openssl/openssl-server.c
+++ b/lib/tls/openssl/openssl-server.c
@@ -170,12 +170,13 @@ lws_tls_server_certs_load(struct lws_vhost *vhost, struct lws *wsi,
 
 	int n = lws_tls_generic_cert_checks(vhost, cert, private_key), m;
 
+	(void)ret;
+
 	if (!cert && !private_key)
 		n = LWS_TLS_EXTANT_ALTERNATIVE;
 
 	if (n == LWS_TLS_EXTANT_NO && (!mem_cert || !mem_privkey))
 		return 0;
-
 	if (n == LWS_TLS_EXTANT_NO)
 		n = LWS_TLS_EXTANT_ALTERNATIVE;
 
@@ -183,6 +184,9 @@ lws_tls_server_certs_load(struct lws_vhost *vhost, struct lws *wsi,
 		return 1; /* no alternative */
 
 	if (n == LWS_TLS_EXTANT_ALTERNATIVE) {
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+
 		/*
 		 * Although we have prepared update certs, we no longer have
 		 * the rights to read our own cert + key we saved.
@@ -286,6 +290,91 @@ lws_tls_server_certs_load(struct lws_vhost *vhost, struct lws *wsi,
 		return 1;
 	}
 
+#else
+		/*
+		 * Although we have prepared update certs, we no longer have
+		 * the rights to read our own cert + key we saved.
+		 *
+		 * If we were passed copies in memory buffers, use those
+		 * instead.
+		 *
+		 * The passed memory-buffer cert image is in DER, and the
+		 * memory-buffer private key image is PEM.
+		 */
+#ifndef USE_WOLFSSL
+		if (SSL_CTX_use_certificate_ASN1(vhost->tls.ssl_ctx,
+						 (int)mem_cert_len,
+						 (uint8_t *)mem_cert) != 1) {
+#else
+		if (wolfSSL_CTX_use_certificate_buffer(vhost->tls.ssl_ctx,
+						 (uint8_t *)mem_cert,
+						 (int)mem_cert_len,
+						 WOLFSSL_FILETYPE_ASN1) != 1) {
+
+#endif
+			lwsl_err("Problem loading update cert\n");
+
+			return 1;
+		}
+
+		if (lws_tls_alloc_pem_to_der_file(vhost->context, NULL,
+						  mem_privkey, mem_privkey_len,
+						  &p, &flen)) {
+			lwsl_notice("unable to convert memory privkey\n");
+
+			return 1;
+		}
+#ifndef USE_WOLFSSL
+		if (SSL_CTX_use_PrivateKey_ASN1(EVP_PKEY_RSA,
+						vhost->tls.ssl_ctx, p,
+						(long)(long long)flen) != 1) {
+#else
+		if (wolfSSL_CTX_use_PrivateKey_buffer(vhost->tls.ssl_ctx, p,
+					    flen, WOLFSSL_FILETYPE_ASN1) != 1) {
+#endif
+			lwsl_notice("unable to use memory privkey\n");
+
+			return 1;
+		}
+
+		goto check_key;
+	}
+
+	/* set the local certificate from CertFile */
+	m = SSL_CTX_use_certificate_chain_file(vhost->tls.ssl_ctx, cert);
+	if (m != 1) {
+		error = ERR_get_error();
+		lwsl_err("problem getting cert '%s' %lu: %s\n",
+			 cert, error, ERR_error_string(error,
+			       (char *)vhost->context->pt[0].serv_buf));
+
+		return 1;
+	}
+
+	if (n != LWS_TLS_EXTANT_ALTERNATIVE && private_key) {
+		/* set the private key from KeyFile */
+		if (SSL_CTX_use_PrivateKey_file(vhost->tls.ssl_ctx, private_key,
+					        SSL_FILETYPE_PEM) != 1) {
+			error = ERR_get_error();
+			lwsl_err("ssl problem getting key '%s' %lu: %s\n",
+				 private_key, error,
+				 ERR_error_string(error,
+				      (char *)vhost->context->pt[0].serv_buf));
+			return 1;
+		}
+	} else {
+		if (vhost->protocols[0].callback(wsi,
+			      LWS_CALLBACK_OPENSSL_CONTEXT_REQUIRES_PRIVATE_KEY,
+						 vhost->tls.ssl_ctx, NULL, 0)) {
+			lwsl_err("ssl private key not set\n");
+
+			return 1;
+		}
+	}
+
+check_key:
+#endif
+
 	/* verify private key */
 	if (!SSL_CTX_check_private_key(vhost->tls.ssl_ctx)) {
 		lwsl_err("Private SSL key doesn't match cert\n");
@@ -293,6 +382,7 @@ lws_tls_server_certs_load(struct lws_vhost *vhost, struct lws *wsi,
 		return 1;
 	}
 
+
 #if !defined(OPENSSL_NO_EC)
 	if (vhost->tls.ecdh_curve[0])
 		ecdh_curve = vhost->tls.ecdh_curve;
diff --git a/lib/tls/tls-client.c b/lib/tls/tls-client.c
index ba6ddfc02..99349c865 100644
--- a/lib/tls/tls-client.c
+++ b/lib/tls/tls-client.c
@@ -98,6 +98,12 @@ int lws_context_init_client_ssl(const struct lws_context_creation_info *info,
 	if (vhost->options & LWS_SERVER_OPTION_ADOPT_APPLY_LISTEN_ACCEPT_CONFIG)
 		return 0;
 
+	if (vhost->tls.ssl_ctx) {
+		cert_filepath = NULL;
+		private_key_filepath = NULL;
+		ca_filepath = NULL;
+	}
+
 	/*
 	 *  for backwards-compatibility default to using ssl_... members, but
 	 * if the newer client-specific ones are given, use those