@@ -1892,10 +1892,11 @@
     /* set some callbacks */
     SSL_CTX_set_default_passwd_cb(ctx, PasswordCallback);
     SSL_CTX_set_default_passwd_cb_userdata(ctx, (void *)statePtr);
 
     /* read a Diffie-Hellman parameters file, or use the built-in one */
+    Tcl_DStringInit(&ds);
 #ifdef OPENSSL_NO_DH
     if (DHparams != NULL) {
 	Tcl_AppendResult(interp, "DH parameter support not available", (char *) NULL);
 	SSL_CTX_free(ctx);
 	return NULL;
@@ -1904,11 +1905,10 @@
     {
 	DH* dh;
 	if (DHparams != NULL) {
 	    BIO *bio;
 
-	    Tcl_DStringInit(&ds);
 	    bio = BIO_new_file(F2N(DHparams, &ds), "r");
 	    if (!bio) {
 		Tcl_DStringFree(&ds);
 		Tcl_AppendResult(interp, "Could not find DH parameters file", (char *) NULL);
 		SSL_CTX_free(ctx);
@@ -1940,11 +1940,10 @@
     /* set our certificate */
     load_private_key = 0;
     if (certfile != NULL) {
 	load_private_key = 1;
 
-	Tcl_DStringInit(&ds);
 	if (SSL_CTX_use_certificate_file(ctx, F2N(certfile, &ds), SSL_FILETYPE_PEM) <= 0) {
 	    Tcl_DStringFree(&ds);
 	    Tcl_AppendResult(interp, "unable to set certificate file ", certfile, ": ",
 		GET_ERR_REASON(), (char *) NULL);
 	    SSL_CTX_free(ctx);
@@ -1983,11 +1982,10 @@
 	    /* get the private key associated with this certificate */
 	    if (keyfile == NULL) {
 		keyfile = certfile;
 	    }
 
-	    Tcl_DStringInit(&ds);
 	    if (SSL_CTX_use_PrivateKey_file(ctx, F2N(keyfile, &ds), SSL_FILETYPE_PEM) <= 0) {
 		Tcl_DStringFree(&ds);
 		/* flush the passphrase which might be left in the result */
 		Tcl_SetResult(interp, NULL, TCL_STATIC);
 		Tcl_AppendResult(interp, "unable to set public key file ", keyfile, " ",
@@ -2026,11 +2024,10 @@
     /* Overrides for the CA verify path and file */
     {
 #if OPENSSL_VERSION_NUMBER < 0x30000000L
 	if (CApath != NULL || CAfile != NULL) {
 	    Tcl_DString ds1;
-	    Tcl_DStringInit(&ds);
 	    Tcl_DStringInit(&ds1);
 
 	    if (!SSL_CTX_load_verify_locations(ctx, F2N(CAfile, &ds), F2N(CApath, &ds1))) {
 		abort++;
 	    }
@@ -2038,35 +2035,31 @@
 	    Tcl_DStringFree(&ds1);
 
 	    /* Set list of CAs to send to client when requesting a client certificate */
 	    /* https://sourceforge.net/p/tls/bugs/57/ */
 	    /* XXX:TODO: Let the user supply values here instead of something that exists on the filesystem */
-	    Tcl_DStringInit(&ds);
 	    STACK_OF(X509_NAME) *certNames = SSL_load_client_CA_file(F2N(CAfile, &ds));
 	    if (certNames != NULL) {
 		SSL_CTX_set_client_CA_list(ctx, certNames);
 	    }
 	    Tcl_DStringFree(&ds);
 	}
 
 #else
 	if (CApath != NULL) {
-	    Tcl_DStringInit(&ds);
 	    if (!SSL_CTX_load_verify_dir(ctx, F2N(CApath, &ds))) {
 		abort++;
 	    }
 	    Tcl_DStringFree(&ds);
 	}
 	if (CAfile != NULL) {
-	    Tcl_DStringInit(&ds);
 	    if (!SSL_CTX_load_verify_file(ctx, F2N(CAfile, &ds))) {
 		abort++;
 	    }
 	    Tcl_DStringFree(&ds);
 
 	    /* Set list of CAs to send to client when requesting a client certificate */
-	    Tcl_DStringInit(&ds);
 	    STACK_OF(X509_NAME) *certNames = SSL_load_client_CA_file(F2N(CAfile, &ds));
 	    if (certNames != NULL) {
 		SSL_CTX_set_client_CA_list(ctx, certNames);
 	    }
 	    Tcl_DStringFree(&ds);