--- lib/fetch/common.c.orig	2016-04-24 19:23:10.086252434 +0200
+++ lib/fetch/common.c	2016-04-24 19:23:38.375203346 +0200
@@ -444,6 +444,8 @@ fetch_cache_put(conn_t *conn, int (*clos
 
 
 #ifdef WITH_SSL
+
+#ifndef HAVE_STRNSTR
 /*
  * Find the first occurrence of find in s, where the search is limited to the
  * first slen characters of s.
@@ -468,6 +470,7 @@ strnstr(const char *s, const char *find,
 	}
 	return ((char *)__UNCONST(s));
 }
+#endif
 
 /*
  * Convert characters A-Z to lowercase (intentionally avoid any locale
@@ -640,8 +643,10 @@ fetch_ssl_get_numeric_addrinfo(const cha
 	hints.ai_protocol = 0;
 	hints.ai_flags = AI_NUMERICHOST;
 	/* port is not relevant for this purpose */
-	if (getaddrinfo(host, "443", &hints, &res) != 0)
+	if (getaddrinfo(host, "443", &hints, &res) != 0) {
+		free(host);
 		return NULL;
+	}
 	free(host);
 	return res;
 }
@@ -929,8 +934,18 @@ fetch_ssl_cb_verify_crt(int verified, X5
 	return (verified);
 }
 
+static pthread_once_t ssl_init_once = PTHREAD_ONCE_INIT;
+
+static void
+ssl_init(void)
+{
+	/* Init the SSL library and context */
+	SSL_load_error_strings();
+	SSL_library_init();
+}
 #endif
 
+
 /*
  * Enable SSL on a connection.
  */
@@ -943,16 +958,14 @@ fetch_ssl(conn_t *conn, const struct url
 	X509_NAME *name;
 	char *str;
 
-	/* Init the SSL library and context */
-	if (!SSL_library_init()){
-		fprintf(stderr, "SSL library init failed\n");
-		return (-1);
-	}
-
-	SSL_load_error_strings();
+	(void)pthread_once(&ssl_init_once, ssl_init);
 
-	conn->ssl_meth = SSLv23_client_method();
-	conn->ssl_ctx = SSL_CTX_new(conn->ssl_meth);
+	conn->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
+	if (conn->ssl_ctx == NULL) {
+		fprintf(stderr, "failed to create SSL context\n");
+		ERR_print_errors_fp(stderr);
+		return -1;
+	}
 	SSL_CTX_set_mode(conn->ssl_ctx, SSL_MODE_AUTO_RETRY);
 
 	fetch_ssl_setup_transport_layer(conn->ssl_ctx, verbose);