diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index dd793d1943..e3bb484776 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -7949,13 +7949,12 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl,
         ssl->handshake->ciphersuite_info;
     int have_ca_chain = 0;
 
-    int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
-    void *p_vrfy;
-
     if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
         return 0;
     }
 
+    int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
+    void *p_vrfy;
     if (ssl->f_vrfy != NULL) {
         MBEDTLS_SSL_DEBUG_MSG(3, ("Use context-specific verification callback"));
         f_vrfy = ssl->f_vrfy;
@@ -7988,7 +7987,6 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl,
     {
         mbedtls_x509_crt *ca_chain;
         mbedtls_x509_crl *ca_crl;
-
 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
         if (ssl->handshake->sni_ca_chain != NULL) {
             ca_chain = ssl->handshake->sni_ca_chain;
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index c130de0a84..f883a22f4f 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -630,8 +630,6 @@ static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
 {
     int ret = 0;
     int have_ca_chain = 0;
-    mbedtls_x509_crt *ca_chain;
-    mbedtls_x509_crl *ca_crl;
     uint32_t verify_result = 0;
 
     /* Authmode: precedence order is SNI if used else configuration */
@@ -716,6 +714,8 @@ static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
     } else
 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
     {
+        mbedtls_x509_crt *ca_chain;
+        mbedtls_x509_crl *ca_crl;
 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
         if (ssl->handshake->sni_ca_chain != NULL) {
             ca_chain = ssl->handshake->sni_ca_chain;