diff --git a/CHANGES b/CHANGES
index ef981c9280599474c622bba2ebd4b9a390ca86a7..03089f77347e3619a34afca06583672661d61e8e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,7 @@
 OpenLDAP 2.4 Change Log
 
 OpenLDAP 2.4.20 Engineering
+	Fixed libldap uninitialized return value (ITS#6355)
 	Fixed slapd debug handling of LDAP_DEBUG_ANY (ITS#6324)
 
 OpenLDAP 2.4.19 Release (2009/10/06)
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index 4d08272a21b1aa4ca456405f33da8d9cec0d5da3..dcae8f28947d1b4f4c54450bafa66f37d30fe61a 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -1081,6 +1081,7 @@ tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length )
 	/* FIXME:  Who frees the key? */
 #if OPENSSL_VERSION_NUMBER > 0x00908000
 	BIGNUM *bn = BN_new();
+	tmp_rsa = NULL;
 	if ( bn ) {
 		if ( BN_set_word( bn, RSA_F4 )) {
 			tmp_rsa = RSA_new();
@@ -1090,8 +1091,6 @@ tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length )
 			}
 		}
 		BN_free( bn );
-	} else {
-		tmp_rsa = NULL;
 	}
 #else
 	tmp_rsa = RSA_generate_key( key_length, RSA_F4, NULL, NULL );
@@ -1101,7 +1100,6 @@ tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length )
 		Debug( LDAP_DEBUG_ANY,
 			"TLS: Failed to generate temporary %d-bit %s RSA key\n",
 			key_length, is_export ? "export" : "domestic", 0 );
-		return NULL;
 	}
 	return tmp_rsa;
 }