diff --git a/lib/net_mosq.c b/lib/net_mosq.c
index a2437caa..72e7b096 100644
--- a/lib/net_mosq.c
+++ b/lib/net_mosq.c
@@ -79,6 +79,8 @@ Contributors:
 int tls_ex_index_mosq = -1;
 UI_METHOD *_ui_method = NULL;
 
+static bool is_tls_initialized = false;
+
 /* Functions taken from OpenSSL s_server/s_client */
 static int ui_open(UI *ui)
 {
@@ -121,6 +123,7 @@ UI_METHOD *net__get_ui_method(void)
 {
 	return _ui_method;
 }
+
 #endif
 
 int net__init(void)
@@ -136,24 +139,6 @@ int net__init(void)
 	ares_library_init(ARES_LIB_INIT_ALL);
 #endif
 
-#ifdef WITH_TLS
-#  if OPENSSL_VERSION_NUMBER < 0x10100000L
-	SSL_load_error_strings();
-	SSL_library_init();
-	OpenSSL_add_all_algorithms();
-#  else
-	OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \
-			| OPENSSL_INIT_ADD_ALL_DIGESTS \
-			| OPENSSL_INIT_LOAD_CONFIG, NULL);
-#  endif
-#if !defined(OPENSSL_NO_ENGINE)
-	ENGINE_load_builtin_engines();
-#endif
-	setup_ui_method();
-	if(tls_ex_index_mosq == -1){
-		tls_ex_index_mosq = SSL_get_ex_new_index(0, "client context", NULL, NULL, NULL);
-	}
-#endif
 	return MOSQ_ERR_SUCCESS;
 }
 
@@ -169,6 +154,7 @@ void net__cleanup(void)
 #    if !defined(OPENSSL_NO_ENGINE)
 	ENGINE_cleanup();
 #    endif
+	is_tls_initialized = false;
 #  endif
 
 	CONF_modules_unload(1);
@@ -184,6 +170,31 @@ void net__cleanup(void)
 #endif
 }
 
+#ifdef WITH_TLS
+void net__init_tls(void)
+{
+	if(is_tls_initialized) return;
+
+#  if OPENSSL_VERSION_NUMBER < 0x10100000L
+	SSL_load_error_strings();
+	SSL_library_init();
+	OpenSSL_add_all_algorithms();
+#  else
+	OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \
+			| OPENSSL_INIT_ADD_ALL_DIGESTS \
+			| OPENSSL_INIT_LOAD_CONFIG, NULL);
+#  endif
+#if !defined(OPENSSL_NO_ENGINE)
+	ENGINE_load_builtin_engines();
+#endif
+	setup_ui_method();
+	if(tls_ex_index_mosq == -1){
+		tls_ex_index_mosq = SSL_get_ex_new_index(0, "client context", NULL, NULL, NULL);
+	}
+
+	is_tls_initialized = true;
+}
+#endif
 
 /* Close a socket associated with a context and set it to -1.
  * Returns 1 on failure (context is NULL)
@@ -606,6 +617,8 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 	 * MOSQ_OPT_SSL_CTX_WITH_DEFAULTS are set. */
 	if(mosq->tls_cafile || mosq->tls_capath || mosq->tls_psk){
 		if(!mosq->ssl_ctx){
+			net__init_tls();
+
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 			mosq->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
 #else
diff --git a/lib/net_mosq.h b/lib/net_mosq.h
index 3037d9e9..937b6491 100644
--- a/lib/net_mosq.h
+++ b/lib/net_mosq.h
@@ -55,6 +55,10 @@ struct mosquitto_db;
 int net__init(void);
 void net__cleanup(void);
 
+#ifdef WITH_TLS
+void net__init_tls(void);
+#endif
+
 int net__socket_connect(struct mosquitto *mosq, const char *host, uint16_t port, const char *bind_address, bool blocking);
 #ifdef WITH_BROKER
 int net__socket_close(struct mosquitto_db *db, struct mosquitto *mosq);
diff --git a/src/net.c b/src/net.c
index fbca5051..246bfc3c 100644
--- a/src/net.c
+++ b/src/net.c
@@ -72,6 +72,9 @@ void net__broker_init(void)
 {
 	spare_sock = socket(AF_INET, SOCK_STREAM, 0);
 	net__init();
+#ifdef WITH_TLS
+	net__init_tls();
+#endif
 }