diff --git a/ChangeLog.txt b/ChangeLog.txt
index 6e2376e0..81bf20c8 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -28,6 +28,8 @@ Client library:
 - Don't set SIGPIPE to ignore, use MSG_NOSIGNAL instead. Closes #2564.
 - Add documentation of struct mosquitto_message to header. Closes #2561.
 - Fix documentation omission around mosquitto_reinitialise. Closes #2489.
+- Fix use of MOSQ_OPT_SSL_CTX when used in conjunction with
+  MOSQ_OPT_SSL_CTX_DEFAULTS. Closes #2463.
 
 Clients:
 - Fix mosquitto_pub incorrectly reusing topic aliases when reconnecting.
diff --git a/lib/net_mosq.c b/lib/net_mosq.c
index 28654b14..80d9195b 100644
--- a/lib/net_mosq.c
+++ b/lib/net_mosq.c
@@ -661,8 +661,8 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 	 * has not been set, or if both of MOSQ_OPT_SSL_CTX and
 	 * MOSQ_OPT_SSL_CTX_WITH_DEFAULTS are set. */
 	if(mosq->tls_cafile || mosq->tls_capath || mosq->tls_psk || mosq->tls_use_os_certs){
+		net__init_tls();
 		if(!mosq->ssl_ctx){
-			net__init_tls();
 
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 			mosq->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
diff --git a/test/lib/Makefile b/test/lib/Makefile
index 65d49ca2..6ade78d0 100644
--- a/test/lib/Makefile
+++ b/test/lib/Makefile
@@ -65,6 +65,8 @@ ifeq ($(WITH_TLS),yes)
 	./08-ssl-bad-cacert.py $@/08-ssl-bad-cacert.test
 	./08-ssl-connect-cert-auth-enc.py $@/08-ssl-connect-cert-auth-enc.test
 	./08-ssl-connect-cert-auth.py $@/08-ssl-connect-cert-auth.test
+	./08-ssl-connect-cert-auth.py $@/08-ssl-connect-cert-auth-custom-ssl-ctx.test
+	./08-ssl-connect-cert-auth.py $@/08-ssl-connect-cert-auth-custom-ssl-ctx-default.test
 	./08-ssl-connect-no-auth.py $@/08-ssl-connect-no-auth.test
 endif
 	./09-util-topic-tokenise.py $@/09-util-topic-tokenise.test
diff --git a/test/lib/c/08-ssl-connect-cert-auth-custom-ssl-ctx-default.c b/test/lib/c/08-ssl-connect-cert-auth-custom-ssl-ctx-default.c
new file mode 100644
index 00000000..2a0d5baf
--- /dev/null
+++ b/test/lib/c/08-ssl-connect-cert-auth-custom-ssl-ctx-default.c
@@ -0,0 +1,59 @@
+#include <errno.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <mosquitto.h>
+#include <openssl/ssl.h>
+
+static int run = -1;
+
+void on_connect(struct mosquitto *mosq, void *obj, int rc)
+{
+	if(rc){
+		exit(1);
+	}else{
+		mosquitto_disconnect(mosq);
+	}
+}
+
+void on_disconnect(struct mosquitto *mosq, void *obj, int rc)
+{
+	run = rc;
+}
+
+int main(int argc, char *argv[])
+{
+	int rc;
+	struct mosquitto *mosq;
+	SSL_CTX *ssl_ctx;
+	int port = atoi(argv[1]);
+
+	mosquitto_lib_init();
+
+	OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \
+			| OPENSSL_INIT_ADD_ALL_DIGESTS \
+			| OPENSSL_INIT_LOAD_CONFIG, NULL);
+	ssl_ctx = SSL_CTX_new(TLS_client_method());
+
+	mosq = mosquitto_new("08-ssl-connect-crt-auth", true, NULL);
+	if(mosq == NULL){
+		return 1;
+	}
+
+	mosquitto_int_option(mosq, MOSQ_OPT_SSL_CTX_WITH_DEFAULTS, 1);
+	mosquitto_void_option(mosq, MOSQ_OPT_SSL_CTX, ssl_ctx);
+
+	mosquitto_tls_set(mosq, "../ssl/test-root-ca.crt", "../ssl/certs", "../ssl/client.crt", "../ssl/client.key", NULL);
+	mosquitto_connect_callback_set(mosq, on_connect);
+	mosquitto_disconnect_callback_set(mosq, on_disconnect);
+
+	rc = mosquitto_connect(mosq, "localhost", port, 60);
+
+	while(run == -1){
+		mosquitto_loop(mosq, -1, 1);
+	}
+	mosquitto_destroy(mosq);
+
+	mosquitto_lib_cleanup();
+	return run;
+}
diff --git a/test/lib/c/08-ssl-connect-cert-auth-custom-ssl-ctx.c b/test/lib/c/08-ssl-connect-cert-auth-custom-ssl-ctx.c
new file mode 100644
index 00000000..5d9866ef
--- /dev/null
+++ b/test/lib/c/08-ssl-connect-cert-auth-custom-ssl-ctx.c
@@ -0,0 +1,63 @@
+#include <errno.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <mosquitto.h>
+#include <openssl/ssl.h>
+
+static int run = -1;
+
+void on_connect(struct mosquitto *mosq, void *obj, int rc)
+{
+	if(rc){
+		exit(1);
+	}else{
+		mosquitto_disconnect(mosq);
+	}
+}
+
+void on_disconnect(struct mosquitto *mosq, void *obj, int rc)
+{
+	run = rc;
+}
+
+int main(int argc, char *argv[])
+{
+	int rc;
+	struct mosquitto *mosq;
+	SSL_CTX *ssl_ctx;
+	int port = atoi(argv[1]);
+
+	mosquitto_lib_init();
+
+	OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \
+			| OPENSSL_INIT_ADD_ALL_DIGESTS \
+			| OPENSSL_INIT_LOAD_CONFIG, NULL);
+	ssl_ctx = SSL_CTX_new(TLS_client_method());
+
+	SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
+	SSL_CTX_use_certificate_chain_file(ssl_ctx, "../ssl/client.crt");
+	SSL_CTX_use_PrivateKey_file(ssl_ctx, "../ssl/client.key", SSL_FILETYPE_PEM);
+	SSL_CTX_load_verify_locations(ssl_ctx, "../ssl/test-root-ca.crt", "../ssl/certs");
+
+	mosq = mosquitto_new("08-ssl-connect-crt-auth", true, NULL);
+	if(mosq == NULL){
+		return 1;
+	}
+	mosquitto_tls_set(mosq, "../ssl/test-root-ca.crt", "../ssl/certs", "../ssl/client.crt", "../ssl/client.key", NULL);
+	mosquitto_connect_callback_set(mosq, on_connect);
+	mosquitto_disconnect_callback_set(mosq, on_disconnect);
+
+	mosquitto_int_option(mosq, MOSQ_OPT_SSL_CTX_WITH_DEFAULTS, 0);
+	mosquitto_void_option(mosq, MOSQ_OPT_SSL_CTX, ssl_ctx);
+
+	rc = mosquitto_connect(mosq, "localhost", port, 60);
+
+	while(run == -1){
+		mosquitto_loop(mosq, -1, 1);
+	}
+	mosquitto_destroy(mosq);
+
+	mosquitto_lib_cleanup();
+	return run;
+}
diff --git a/test/lib/c/Makefile b/test/lib/c/Makefile
index 6c09e806..40cb7d15 100644
--- a/test/lib/c/Makefile
+++ b/test/lib/c/Makefile
@@ -1,3 +1,5 @@
+include ../../../config.mk
+
 .PHONY: all clean reallyclean
 
 CFLAGS=-I../../../include -Werror
@@ -55,6 +57,13 @@ SRC = \
 	11-prop-send-payload-format.c \
 	11-prop-send-content-type.c
 
+ifeq ($(WITH_TLS),yes)
+SRC += \
+	08-ssl-connect-cert-auth-custom-ssl-ctx.c \
+	08-ssl-connect-cert-auth-custom-ssl-ctx-default.c
+LIBS += -lssl -lcrypto
+endif
+
 TESTS = ${SRC:.c=.test}
 
 all : ${TESTS}
diff --git a/test/lib/test.py b/test/lib/test.py
index eb56e718..6f06c3f7 100755
--- a/test/lib/test.py
+++ b/test/lib/test.py
@@ -48,6 +48,8 @@ tests = [
     (1, ['./08-ssl-bad-cacert.py', 'c/08-ssl-bad-cacert.test']),
     (1, ['./08-ssl-connect-cert-auth-enc.py', 'c/08-ssl-connect-cert-auth-enc.test']),
     (1, ['./08-ssl-connect-cert-auth.py', 'c/08-ssl-connect-cert-auth.test']),
+    (1, ['./08-ssl-connect-cert-auth.py', 'c/08-ssl-connect-cert-auth-custom-ssl-ctx.test']),
+    (1, ['./08-ssl-connect-cert-auth.py', 'c/08-ssl-connect-cert-auth-custom-ssl-ctx-default.test']),
     (1, ['./08-ssl-connect-no-auth.py', 'c/08-ssl-connect-no-auth.test']),
 
     (1, ['./09-util-topic-tokenise.py', 'c/09-util-topic-tokenise.test']),