diff --git a/src/internal.c b/src/internal.c
index 1add79966..77fd88f60 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -6797,6 +6797,8 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
     if (ctx->protoMsgCb != NULL) {
         ssl->toInfoOn = 1;
     }
+
+    ssl->disabledCurves = ctx->disabledCurves;
 #endif
 
     InitCiphers(ssl);
diff --git a/src/ssl.c b/src/ssl.c
index 3bdb4ebd8..93e614f19 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -33905,36 +33905,25 @@ void wolfSSL_get0_next_proto_negotiated(const WOLFSSL *s, const unsigned char **
 #endif /* WOLFSSL_NGINX  / WOLFSSL_HAPROXY */
 
 #ifdef OPENSSL_EXTRA
-int wolfSSL_CTX_curve_is_disabled(WOLFSSL_CTX* ctx, word16 curve_id)
-{
-    return (curve_id <= WOLFSSL_ECC_MAX &&
-            ctx->disabledCurves &&
-            ctx->disabledCurves & (1 << curve_id));
-}
-
 int wolfSSL_curve_is_disabled(WOLFSSL* ssl, word16 curve_id)
 {
-    /* FIXME: see wolfSSL_set1_curves_list() below on why
-     * this dependency on ssl->ctx alone is insufficient. */
-    return wolfSSL_CTX_curve_is_disabled(ssl->ctx, curve_id);
+    return (curve_id <= WOLFSSL_ECC_MAX &&
+            ssl->disabledCurves &&
+            ssl->disabledCurves & (1 << curve_id));
 }
 #endif
 
 #if defined(OPENSSL_EXTRA) && (defined(HAVE_ECC) || \
     defined(HAVE_CURVE25519) || defined(HAVE_CURVE448))
-int wolfSSL_CTX_set1_curves_list(WOLFSSL_CTX* ctx, const char* names)
+static int set_curves_list(WOLFSSL* ssl, WOLFSSL_CTX *ctx, const char* names)
 {
     int idx, start = 0, len;
     word16 curve;
+    word32 disabled;
     char name[MAX_CURVE_NAME_SZ];
 
-    if (ctx == NULL || names == NULL) {
-        WOLFSSL_MSG("ctx or names was NULL");
-        return WOLFSSL_FAILURE;
-    }
-
     /* Disable all curves so that only the ones the user wants are enabled. */
-    ctx->disabledCurves = 0xFFFFFFFFUL;
+    disabled = 0xFFFFFFFFUL;
     for (idx = 1; names[idx-1] != '\0'; idx++) {
         if (names[idx] != ':' && names[idx] != '\0')
             continue;
@@ -34008,28 +33997,44 @@ int wolfSSL_CTX_set1_curves_list(WOLFSSL_CTX* ctx, const char* names)
     #if defined(HAVE_SUPPORTED_CURVES) && !defined(NO_WOLFSSL_CLIENT)
         /* set the supported curve so client TLS extension contains only the
          * desired curves */
-        if (wolfSSL_CTX_UseSupportedCurve(ctx, curve) != WOLFSSL_SUCCESS) {
+        if ((ssl
+             && wolfSSL_UseSupportedCurve(ssl, curve) != WOLFSSL_SUCCESS)
+            || (ctx
+            && wolfSSL_CTX_UseSupportedCurve(ctx, curve) != WOLFSSL_SUCCESS)) {
             WOLFSSL_MSG("Unable to set supported curve");
             return WOLFSSL_FAILURE;
         }
     #endif
 
         /* Switch the bit to off and therefore is enabled. */
-        ctx->disabledCurves &= ~(1U << curve);
+        disabled &= ~(1U << curve);
         start = idx + 1;
     }
 
+    if (ssl)
+        ssl->disabledCurves = disabled;
+    else
+        ctx->disabledCurves = disabled;
+
     return WOLFSSL_SUCCESS;
 }
 
-int wolfSSL_set1_curves_list(WOLFSSL* ssl, const char* names)
+int wolfSSL_CTX_set1_curves_list(WOLFSSL_CTX* ctx, const char* names)
 {
-    if (ssl == NULL) {
+    if (ctx == NULL || names == NULL) {
+        WOLFSSL_MSG("ctx or names was NULL");
         return WOLFSSL_FAILURE;
     }
-    /* FIXME: this manipulates the context from a WOLFSSL* and
-     * will lead to surprises for some. */
-    return wolfSSL_CTX_set1_curves_list(ssl->ctx, names);
+    return set_curves_list(NULL, ctx, names);
+}
+
+int wolfSSL_set1_curves_list(WOLFSSL* ssl, const char* names)
+{
+    if (ssl == NULL || names == NULL) {
+        WOLFSSL_MSG("ssl or names was NULL");
+        return WOLFSSL_FAILURE;
+    }
+    return set_curves_list(ssl, NULL, names);
 }
 #endif /* OPENSSL_EXTRA && (HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448) */
 
diff --git a/wolfssl/internal.h b/wolfssl/internal.h
index 6ded466c5..2c3b59f49 100644
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -4668,6 +4668,7 @@ struct WOLFSSL {
     WOLFSSL_BIO*     biowr;              /* socket bio write to free/close */
     byte             sessionCtx[ID_LEN]; /* app session context ID */
     WOLFSSL_X509_VERIFY_PARAM* param;    /* verification parameters*/
+    word32            disabledCurves;    /* curves disabled by user */
 #endif
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
     unsigned long    peerVerifyRet;
@@ -5251,10 +5252,8 @@ WOLFSSL_LOCAL int SetECKeyExternal(WOLFSSL_EC_KEY* eckey);
 #endif
 
 #if defined(OPENSSL_EXTRA)
-WOLFSSL_LOCAL int wolfSSL_CTX_curve_is_disabled(WOLFSSL_CTX* ctx, word16 named_curve);
 WOLFSSL_LOCAL int wolfSSL_curve_is_disabled(WOLFSSL* ssl, word16 named_curve);
 #else
-#define wolfSSL_CTX_curve_is_disabled(ctx, c)   ((void)(ctx), (void)(c), 0)
 #define wolfSSL_curve_is_disabled(ssl, c)   ((void)(ssl), (void)(c), 0)
 #endif