diff --git a/lib/ssl/authcert.c b/lib/ssl/authcert.c
--- a/lib/ssl/authcert.c
+++ b/lib/ssl/authcert.c
@@ -204,10 +204,13 @@
     if (certList == NULL) {
         certList = CERT_FindUserCertsByUsage(CERT_GetDefaultCertDB(),
                                              certUsageSSLClient,
                                              PR_FALSE, chosenNickName == NULL,
                                              pw_arg);
+        if (certList == NULL) {
+            return SECFailure;
+        }
         /* filter only the certs that meet the nickname requirements */
         if (chosenNickName) {
             rv = CERT_FilterCertListByNickname(certList, chosenNickName,
                                                pw_arg);
         } else {
@@ -217,17 +220,14 @@
                                               certUsageSSLClient);
             ssl_FreeDistNamesStrings(names, nnames);
         }
         if ((rv != SECSuccess) || CERT_LIST_EMPTY(certList)) {
             CERT_DestroyCertList(certList);
-            certList = NULL;
+            return SECFailure;
         }
     }
-    if (certList == NULL) {
-        /* no user certs meeting the nickname/usage requirements found */
-        return SECFailure;
-    }
+
     /* now remove any certs that can't meet the connection requirements */
     rv = ssl_FilterClientCertListBySSLSocket(ss, certList);
     if ((rv != SECSuccess) || CERT_LIST_EMPTY(certList)) {
         // no certs left.
         CERT_DestroyCertList(certList);