Comment 1 for bug 1677947

Can you share more information on this, such as the tool you used for static analysis or more detailed output? Ideal would be the code path that your tool believes exhibits the behaviour.

libeap's internal method tls_connection_set_verify() should be called to set the verification callback for the context before SSL_connect() or SSL_accept() is reached - if there is a code path that makes this not be the case, it's not immediately obvious.