diff --git a/CHANGES b/CHANGES
index 29daadf..eac01bc 100644
--- a/CHANGES
+++ b/CHANGES
@@ -29,6 +29,9 @@ security:
 	the openssl-commonname option when it is used.
 	Test: OPENSSL_CN_SERVER_SECURITY
 
+	Red Hat issue 1019964: socat now uses the system certificate store with
+	OPENSSL when neither options cafile nor capath are used
+
 corrections:
 	LISTEN based addresses applied some address options, e.g. so-keepalive,
 	to the listening file descriptor instead of the connected file
diff --git a/config.h.in b/config.h.in
index 232ed6b..c08f709 100644
--- a/config.h.in
+++ b/config.h.in
@@ -399,6 +399,9 @@
 
 /* Define if you have the SSLv2_server_method function. not in new openssl */
 #undef HAVE_SSLv2_server_method
+ 
+/* Define if you have the HAVE_SSL_CTX_set_default_verify_paths function */
+#undef HAVE_SSL_CTX_set_default_verify_paths
 
 /* Define if you have the flock function */
 #undef HAVE_FLOCK
diff --git a/configure.in b/configure.in
index 64b8ad9..4e6ff4e 100644
--- a/configure.in
+++ b/configure.in
@@ -1352,7 +1352,8 @@ AC_CHECK_FUNC(unsetenv, AC_DEFINE(HAVE_UNSETENV))
 dnl Search for SSLv2_client_method, SSLv2_server_method
 AC_CHECK_FUNC(SSLv3_client_method, AC_DEFINE(HAVE_SSLv3_client_method), AC_CHECK_LIB(crypt, SSLv3_client_method, [LIBS=-lcrypt $LIBS]))
 AC_CHECK_FUNC(SSLv2_server_method, AC_DEFINE(HAVE_SSLv2_server_method), AC_CHECK_LIB(crypt, SSLv2_server_method, [LIBS=-lcrypt $LIBS]))
-
+dnl 
+AC_CHECK_FUNC(SSL_CTX_set_default_verify_paths, AC_DEFINE(HAVE_SSL_CTX_set_default_verify_paths))
 
 dnl Run time checks
 
diff --git a/xio-openssl.c b/xio-openssl.c
index 6367645..1cf1c30 100644
--- a/xio-openssl.c
+++ b/xio-openssl.c
@@ -1055,6 +1055,10 @@ int
 	    return STAT_RETRYLATER;
 	 }
       }
+#ifdef HAVE_SSL_CTX_set_default_verify_paths
+   } else {
+      SSL_CTX_set_default_verify_paths(*ctx);
+#endif
    }
 
    if (opt_cert) {