diff --git a/platform/cert.c b/platform/cert.c
index 2fee714..974c86e 100644
--- a/platform/cert.c
+++ b/platform/cert.c
@@ -244,16 +244,30 @@ WINHTTPAPI BOOL hook_WinHttpSetOption(
     if (dwOption == WINHTTP_OPTION_CLIENT_CERT_CONTEXT) {
         // This is U G L Y and will fail on servers that actually check the client cert.
         dprintf("Cert: Block WINHTTP_OPTION_CLIENT_CERT_CONTEXT\n");
-        return true;
-    }
-    else if (dwOption == WINHTTP_OPTION_SECURITY_FLAGS) {
-        dprintf("Cert: Add all security ignore flags\n");
-        int value = SECURITY_FLAG_IGNORE_UNKNOWN_CA | SECURITY_FLAG_IGNORE_CERT_DATE_INVALID | SECURITY_FLAG_IGNORE_CERT_CN_INVALID; // the kitchen sink
         WINHTTP_STATUS_CALLBACK cb_check = WinHttpSetStatusCallback(hInternet, (WINHTTP_STATUS_CALLBACK)ca_error_cb, WINHTTP_CALLBACK_FLAG_SECURE_FAILURE, 0);
         if (cb_check == WINHTTP_INVALID_STATUS_CALLBACK) {
             dprintf("Cert: Failed to set SSL error callback: %08lX\n", GetLastError());
             SetLastError(0);
         }
+
+        // Sneak in security disable while we're here
+        int value = SECURITY_FLAG_IGNORE_UNKNOWN_CA | SECURITY_FLAG_IGNORE_CERT_DATE_INVALID | SECURITY_FLAG_IGNORE_CERT_CN_INVALID; // the kitchen sink
+        if (!next_WinHttpSetOption(hInternet, WINHTTP_OPTION_SECURITY_FLAGS, &value, 4)) {
+            dprintf("Cert: Failed to set ignore security flags: %08lX\n", GetLastError());
+            SetLastError(0);
+        }
+        return true;
+    }
+    else if (dwOption == WINHTTP_OPTION_SECURITY_FLAGS) {
+        dprintf("Cert: Add all security ignore flags\n");
+        
+        WINHTTP_STATUS_CALLBACK cb_check = WinHttpSetStatusCallback(hInternet, (WINHTTP_STATUS_CALLBACK)ca_error_cb, WINHTTP_CALLBACK_FLAG_SECURE_FAILURE, 0);
+        if (cb_check == WINHTTP_INVALID_STATUS_CALLBACK) {
+            dprintf("Cert: Failed to set SSL error callback: %08lX\n", GetLastError());
+            SetLastError(0);
+        }
+        
+        int value = SECURITY_FLAG_IGNORE_UNKNOWN_CA | SECURITY_FLAG_IGNORE_CERT_DATE_INVALID | SECURITY_FLAG_IGNORE_CERT_CN_INVALID; // the kitchen sink
         return next_WinHttpSetOption(hInternet, dwOption, &value, dwBufferLength);
     } else {
         dprintf("Cert: hook_WinHttpSetOption %p %08X\n", hInternet, (int)dwOption);