diff --git a/configure.ac b/configure.ac
index faf51d26f1..6dc4dae91a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -650,7 +650,7 @@ AC_CHECK_FUNCS([SSL_CTX_set_keylog_callback])
 AC_CHECK_FUNCS([SSL_CTX_set_min_proto_version])
 AC_CHECK_FUNCS([SSL_CTX_up_ref])
 AC_CHECK_FUNCS([SSL_read_ex SSL_peek_ex SSL_write_ex])
-AC_CHECK_FUNCS([SSL_CTX_up_ref])
+AC_CHECK_FUNCS([SSL_CTX_set1_cert_store X509_STORE_up_ref])
 
 #
 # Check for algorithm support in OpenSSL
diff --git a/lib/isc/openssl_shim.c b/lib/isc/openssl_shim.c
index 6a9621f812..50784e331b 100644
--- a/lib/isc/openssl_shim.c
+++ b/lib/isc/openssl_shim.c
@@ -176,3 +176,23 @@ SSL_CTX_up_ref(SSL_CTX *ctx) {
 	return (CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX) > 0);
 }
 #endif /* !HAVE_SSL_CTX_UP_REF */
+
+#if !HAVE_X509_STORE_UP_REF
+
+int
+X509_STORE_up_ref(X509_STORE *store) {
+	return (CRYPTO_add(&store->references, 1, CRYPTO_LOCK_X509_STORE));
+}
+
+#endif /* !HAVE_OPENSSL_CLEANUP */
+
+#if !HAVE_SSL_CTX_SET1_CERT_STORE
+
+void
+SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store) {
+	(void)X509_STORE_up_ref(store);
+
+	SSL_CTX_set_cert_store(ctx, store);
+}
+
+#endif /* !HAVE_SSL_CTX_SET1_CERT_STORE */
diff --git a/lib/isc/openssl_shim.h b/lib/isc/openssl_shim.h
index 47d73a7ed9..c0abd14467 100644
--- a/lib/isc/openssl_shim.h
+++ b/lib/isc/openssl_shim.h
@@ -125,3 +125,13 @@ OPENSSL_cleanup(void);
 int
 SSL_CTX_up_ref(SSL_CTX *store);
 #endif /* !HAVE_SSL_CTX_UP_REF */
+
+#if !HAVE_X509_STORE_UP_REF
+int
+X509_STORE_up_ref(X509_STORE *v);
+#endif /* !HAVE_OPENSSL_CLEANUP */
+
+#if !HAVE_SSL_CTX_SET1_CERT_STORE
+void
+SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store);
+#endif /* !HAVE_SSL_CTX_SET1_CERT_STORE */
diff --git a/lib/isc/tls.c b/lib/isc/tls.c
index 533c403d5b..640fe2442c 100644
--- a/lib/isc/tls.c
+++ b/lib/isc/tls.c
@@ -990,19 +990,7 @@ isc_tlsctx_enable_peer_verification(isc_tlsctx_t *tlsctx, const bool is_server,
 	}
 
 	/* "Attach" the cert store to the context */
-#if defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER >= 0x3050000fL)
-	(void)X509_STORE_up_ref(store);
-	SSL_CTX_set_cert_store(tlsctx, store);
-#elif defined(CRYPTO_LOCK_X509_STORE)
-	/*
-	 * That is the case for OpenSSL < 1.1.X and LibreSSL < 3.5.0.
-	 * No SSL_CTX_set1_cert_store(), no X509_STORE_up_ref(). Sigh...
-	 */
-	(void)CRYPTO_add(&store->references, 1, CRYPTO_LOCK_X509_STORE);
-	SSL_CTX_set_cert_store(tlsctx, store);
-#else
 	SSL_CTX_set1_cert_store(tlsctx, store);
-#endif
 
 	/* enable verification */
 	if (is_server) {