diff --git a/include/libtorrent/aux_/session_impl.hpp b/include/libtorrent/aux_/session_impl.hpp
index 5183b0c77..6488182bc 100644
--- a/include/libtorrent/aux_/session_impl.hpp
+++ b/include/libtorrent/aux_/session_impl.hpp
@@ -833,6 +833,7 @@ namespace aux {
 			void update_upload_rate();
 			void update_connections_limit();
 			void update_alert_mask();
+			void update_validate_https();
 
 			void trigger_auto_manage() override;
 
diff --git a/include/libtorrent/settings_pack.hpp b/include/libtorrent/settings_pack.hpp
index 6c7be47d7..0d061091e 100644
--- a/include/libtorrent/settings_pack.hpp
+++ b/include/libtorrent/settings_pack.hpp
@@ -804,6 +804,12 @@ namespace aux {
 			// small piece sizes
 			piece_extent_affinity,
 
+			// when set to true, the certificate of HTTPS trackers will be
+			// validated against the system's certificate store (as defined by
+			// OpenSSL). If the system does not have one, enabling this may cause
+			// HTTPS trackers to fail.
+			validate_https_trackers,
+
 			max_bool_setting_internal
 		};
 
diff --git a/src/session_impl.cpp b/src/session_impl.cpp
index f45d94fa4..d7b063486 100644
--- a/src/session_impl.cpp
+++ b/src/session_impl.cpp
@@ -538,6 +538,7 @@ namespace aux {
 #ifdef TORRENT_USE_OPENSSL
 		error_code ec;
 		m_ssl_ctx.set_verify_mode(boost::asio::ssl::context::verify_none, ec);
+		m_ssl_ctx.set_default_verify_paths(ec);
 		m_peer_ssl_ctx.set_verify_mode(boost::asio::ssl::context::verify_none, ec);
 #if OPENSSL_VERSION_NUMBER >= 0x90812f
 		aux::openssl_set_tlsext_servername_callback(m_peer_ssl_ctx.native_handle()
@@ -6606,6 +6607,20 @@ namespace {
 			static_cast<std::uint32_t>(m_settings.get_int(settings_pack::alert_mask))));
 	}
 
+	void session_impl::update_validate_https()
+	{
+#ifdef TORRENT_USE_OPENSSL
+		using boost::asio::ssl::context;
+		auto const flags = m_settings.get_bool(settings_pack::validate_https_trackers)
+			? context::verify_peer
+				| context::verify_fail_if_no_peer_cert
+				| context::verify_client_once
+			: context::verify_none;
+		error_code ec;
+		m_ssl_ctx.set_verify_mode(flags, ec);
+#endif
+	}
+
 	void session_impl::pop_alerts(std::vector<alert*>* alerts)
 	{
 		m_alerts.get_all(*alerts);
diff --git a/src/settings_pack.cpp b/src/settings_pack.cpp
index 4d64ebabd..4ae3a671e 100644
--- a/src/settings_pack.cpp
+++ b/src/settings_pack.cpp
@@ -210,6 +210,7 @@ constexpr int CLOSE_FILE_INTERVAL = 0;
 		SET(enable_ip_notifier, true, &session_impl::update_ip_notifier),
 		SET(dht_prefer_verified_node_ids, true, &session_impl::update_dht_settings),
 		SET(piece_extent_affinity, false, nullptr),
+		SET(validate_https_trackers, false, &session_impl::update_validate_https),
 	}});
 
 	aux::array<int_setting_entry_t, settings_pack::num_int_settings> const int_settings