diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index f8001c592..bb28f1815 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2985,15 +2985,20 @@ static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_an
 			find_chain = issuer->chain;
 	}
 
+	if (!find_chain) {
+		/* always put a null chain stack in the SSL_CTX so it does not
+		 * try to build the chain from the verify store */
+		find_chain = sk_X509_new_null();
+	}
+
 	/* Load all certs in the ckch into the ctx_chain for the ssl_ctx */
-	if (find_chain)
 #ifdef SSL_CTX_set1_chain
-		if (!SSL_CTX_set1_chain(ctx, find_chain)) {
-			memprintf(err, "%sunable to load chain certificate into SSL Context '%s'. Make sure you are linking against Openssl >= 1.0.2.\n",
-				  err && *err ? *err : "", path);
-			errcode |= ERR_ALERT | ERR_FATAL;
-			goto end;
-		}
+	if (!SSL_CTX_set1_chain(ctx, find_chain)) {
+		memprintf(err, "%sunable to load chain certificate into SSL Context '%s'. Make sure you are linking against Openssl >= 1.0.2.\n",
+			  err && *err ? *err : "", path);
+		errcode |= ERR_ALERT | ERR_FATAL;
+		goto end;
+	}
 #else
 	{ /* legacy compat (< openssl 1.0.2) */
 		X509 *ca;