diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index ebd19c366c..c9cca703d6 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -7947,7 +7947,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl,
     int ret = 0;
     const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
         ssl->handshake->ciphersuite_info;
-    int have_ca_chain = 0;
+    int have_ca_chain_or_callback = 0;
 
     if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
         return 0;
@@ -7971,7 +7971,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl,
 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
     if (ssl->conf->f_ca_cb != NULL) {
         ((void) rs_ctx);
-        have_ca_chain = 1;
+        have_ca_chain_or_callback = 1;
 
         MBEDTLS_SSL_DEBUG_MSG(3, ("use CA callback for X.509 CRT verification"));
         ret = mbedtls_x509_crt_verify_with_ca_cb(
@@ -7999,7 +7999,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl,
         }
 
         if (ca_chain != NULL) {
-            have_ca_chain = 1;
+            have_ca_chain_or_callback = 1;
         }
 
         ret = mbedtls_x509_crt_verify_restartable(
@@ -8061,7 +8061,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl,
         ret = 0;
     }
 
-    if (have_ca_chain == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) {
+    if (have_ca_chain_or_callback == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) {
         MBEDTLS_SSL_DEBUG_MSG(1, ("got no CA chain"));
         ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
     }
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index f883a22f4f..6ea5e01d47 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -629,7 +629,7 @@ MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
 {
     int ret = 0;
-    int have_ca_chain = 0;
+    int have_ca_chain_or_callback = 0;
     uint32_t verify_result = 0;
 
     /* Authmode: precedence order is SNI if used else configuration */
@@ -700,7 +700,7 @@ static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
      */
 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
     if (ssl->conf->f_ca_cb != NULL) {
-        have_ca_chain = 1;
+        have_ca_chain_or_callback = 1;
 
         MBEDTLS_SSL_DEBUG_MSG(3, ("use CA callback for X.509 CRT verification"));
         ret = mbedtls_x509_crt_verify_with_ca_cb(
@@ -728,7 +728,7 @@ static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
         }
 
         if (ca_chain != NULL) {
-            have_ca_chain = 1;
+            have_ca_chain_or_callback = 1;
         }
 
         ret = mbedtls_x509_crt_verify_with_profile(
@@ -771,7 +771,7 @@ static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
         ret = 0;
     }
 
-    if (!have_ca_chain && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) {
+    if (!have_ca_chain_or_callback && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) {
         MBEDTLS_SSL_DEBUG_MSG(1, ("got no CA chain"));
         ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
     }