@@ -1721,11 +1721,10 @@
     unsigned char *key, unsigned char *cert, int key_len, int cert_len, char *CApath,
     char *CAfile, char *ciphers, char *ciphersuites, int level, char *DHparams) {
     Tcl_Interp *interp = statePtr->interp;
     SSL_CTX *ctx = NULL;
     Tcl_DString ds;
-    Tcl_DString ds1;
     int off = 0, abort = 0;
     int load_private_key;
     const SSL_METHOD *method;
 
     dprintf("Called");
@@ -1902,10 +1901,12 @@
 #else
     {
 	DH* dh;
 	if (DHparams != NULL) {
 	    BIO *bio;
+
+	    Tcl_DStringInit(&ds);
 	    bio = BIO_new_file(F2N(DHparams, &ds), "r");
 	    if (!bio) {
 		Tcl_DStringFree(&ds);
 		Tcl_AppendResult(interp, "Could not find DH parameters file", (char *) NULL);
 		SSL_CTX_free(ctx);
@@ -1937,10 +1938,11 @@
     /* set our certificate */
     load_private_key = 0;
     if (certfile != NULL) {
 	load_private_key = 1;
 
+	Tcl_DStringInit(&ds);
 	if (SSL_CTX_use_certificate_file(ctx, F2N(certfile, &ds), SSL_FILETYPE_PEM) <= 0) {
 	    Tcl_DStringFree(&ds);
 	    Tcl_AppendResult(interp, "unable to set certificate file ", certfile, ": ",
 		GET_ERR_REASON(), (char *) NULL);
 	    SSL_CTX_free(ctx);
@@ -1979,10 +1981,11 @@
 	    /* get the private key associated with this certificate */
 	    if (keyfile == NULL) {
 		keyfile = certfile;
 	    }
 
+	    Tcl_DStringInit(&ds);
 	    if (SSL_CTX_use_PrivateKey_file(ctx, F2N(keyfile, &ds), SSL_FILETYPE_PEM) <= 0) {
 		Tcl_DStringFree(&ds);
 		/* flush the passphrase which might be left in the result */
 		Tcl_SetResult(interp, NULL, TCL_STATIC);
 		Tcl_AppendResult(interp, "unable to set public key file ", keyfile, " ",
@@ -2021,40 +2024,47 @@
     /* Overrides for the CA verify path and file */
     {
 #if OPENSSL_VERSION_NUMBER < 0x30000000L
 	if (CApath != NULL || CAfile != NULL) {
 	    Tcl_DString ds1;
+	    Tcl_DStringInit(&ds);
+	    Tcl_DStringInit(&ds1);
+
 	    if (!SSL_CTX_load_verify_locations(ctx, F2N(CAfile, &ds), F2N(CApath, &ds1))) {
 		abort++;
 	    }
 	    Tcl_DStringFree(&ds);
 	    Tcl_DStringFree(&ds1);
 
 	    /* Set list of CAs to send to client when requesting a client certificate */
 	    /* https://sourceforge.net/p/tls/bugs/57/ */
 	    /* XXX:TODO: Let the user supply values here instead of something that exists on the filesystem */
+	    Tcl_DStringInit(&ds);
 	    STACK_OF(X509_NAME) *certNames = SSL_load_client_CA_file(F2N(CAfile, &ds));
 	    if (certNames != NULL) {
 		SSL_CTX_set_client_CA_list(ctx, certNames);
 	    }
 	    Tcl_DStringFree(&ds);
 	}
 
 #else
 	if (CApath != NULL) {
+	    Tcl_DStringInit(&ds);
 	    if (!SSL_CTX_load_verify_dir(ctx, F2N(CApath, &ds))) {
 		abort++;
 	    }
 	    Tcl_DStringFree(&ds);
 	}
 	if (CAfile != NULL) {
+	    Tcl_DStringInit(&ds);
 	    if (!SSL_CTX_load_verify_file(ctx, F2N(CAfile, &ds))) {
 		abort++;
 	    }
 	    Tcl_DStringFree(&ds);
 
 	    /* Set list of CAs to send to client when requesting a client certificate */
+	    Tcl_DStringInit(&ds);
 	    STACK_OF(X509_NAME) *certNames = SSL_load_client_CA_file(F2N(CAfile, &ds));
 	    if (certNames != NULL) {
 		SSL_CTX_set_client_CA_list(ctx, certNames);
 	    }
 	    Tcl_DStringFree(&ds);