diff --git a/src/lib/tls/ctx.c b/src/lib/tls/ctx.c
index ec6c0104d340..bea1165f9bfe 100644
--- a/src/lib/tls/ctx.c
+++ b/src/lib/tls/ctx.c
@@ -490,14 +490,22 @@ SSL_CTX *tls_ctx_alloc(fr_tls_conf_t const *conf, bool client)
 #endif
 #endif
 
-	/*
-	 *	OpenSSL will automatically create certificate chains,
-	 *	unless we tell it to not do that.  The problem is that
-	 *	it sometimes gets the chains right from a certificate
-	 *	signature view, but wrong from the clients view.
-	 */
-	if (!conf->auto_chain) {
-		SSL_CTX_set_mode(ctx, SSL_MODE_NO_AUTO_CHAIN);
+	{
+		int mode = 0;
+
+		/*
+		 *	OpenSSL will automatically create certificate chains,
+		 *	unless we tell it to not do that.  The problem is that
+		 *	it sometimes gets the chains right from a certificate
+		 *	signature view, but wrong from the clients view.
+		 */
+		if (!conf->auto_chain) mode |= SSL_MODE_NO_AUTO_CHAIN;
+
+		if (client) {
+			mode |= SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER;
+			mode |= SSL_MODE_AUTO_RETRY;
+		}
+		SSL_CTX_set_mode(ctx, mode);
 	}
 
 	/* Set Info callback */
diff --git a/src/lib/tls/session.c b/src/lib/tls/session.c
index cd19f90a4b7e..580aec39dbb9 100644
--- a/src/lib/tls/session.c
+++ b/src/lib/tls/session.c
@@ -1471,8 +1471,6 @@ tls_session_t *tls_session_init_client(TALLOC_CTX *ctx, fr_tls_conf_t *conf)
 	session->ctx = conf->ctx[(conf->ctx_count == 1) ? 0 : conf->ctx_next++ % conf->ctx_count];	/* mutex not needed */
 	rad_assert(session->ctx);
 
-	SSL_CTX_set_mode(session->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_AUTO_RETRY);
-
 	session->ssl = SSL_new(session->ctx);
 	if (!session->ssl) {
 		talloc_free(session);