diff --git a/docs/reference/session-porting.xml b/docs/reference/session-porting.xml
index 67a433a10cf22df8613c4cfa3025e097e01c941c..c2f910946723f09478cd0baf98eda0f4453bc478 100644
--- a/docs/reference/session-porting.xml
+++ b/docs/reference/session-porting.xml
@@ -43,32 +43,6 @@ linkend="SoupSessionAsync"><type>SoupSessionAsync</type></link> and
 </para>
 
 <itemizedlist>
-  <listitem>
-    <para>
-      The system TLS/SSL certificate database is used by default to
-      validate https certificates, and sites with invalid certificates
-      will refuse to load with a
-      <link linkend="SOUP-STATUS-SSL-FAILED:CAPS"><literal>SOUP_STATUS_SSL_FAILED</literal></link>
-      error.
-    </para>
-    <para>
-      You can still override the CA database as before, by setting the
-      <link linkend="SoupSession--ssl-ca-file"><type>"ssl-ca-file"</type></link>
-      property, although the
-      <link linkend="SoupSession--tls-database"><type>"tls-database"</type></link>
-      property is preferred, since it allows you to do proper error
-      handling.
-    </para>
-    <para>
-      If you want to accept all certificates, set
-      <link linkend="SoupSession--ssl-strict"><type>"ssl-strict"</type></link> to
-      <literal>FALSE</literal>. Note that libsoup will still check
-      certificates, it will just continue with the HTTP request even
-      if the certificate fails to validate. You can use
-      <link linkend="soup-message-get-https-status"><function>soup_message_get_https_status()</function></link>
-      to look at the certificate after the fact.
-    </para>
-  </listitem>
   <listitem>
     <para>
       The
diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c
index dd3cdc46be7bad1015e8f79393b63a031ed4af97..10f0075b8004a77fc9d95092225216210e767f65 100644
--- a/libsoup/soup-session.c
+++ b/libsoup/soup-session.c
@@ -270,16 +270,19 @@ soup_session_constructor (GType                  type,
 			  GObjectConstructParam *construct_params)
 {
 	GObject *object;
+	SoupSession *session;
+	SoupSessionPrivate *priv;
 
 	object = G_OBJECT_CLASS (soup_session_parent_class)->constructor (type, n_construct_properties, construct_params);
+	session = SOUP_SESSION (object);
+	priv = soup_session_get_instance_private (session);
+
+	priv->tlsdb_use_default = TRUE;
 
 	/* If this is a "plain" SoupSession, fix up the default
 	 * properties values, etc.
 	 */
 	if (type == SOUP_TYPE_SESSION) {
-		SoupSession *session = SOUP_SESSION (object);
-		SoupSessionPrivate *priv = soup_session_get_instance_private (session);
-
 		g_clear_pointer (&priv->async_context, g_main_context_unref);
 		priv->async_context = g_main_context_ref_thread_default ();
 		priv->use_thread_context = TRUE;
@@ -293,7 +296,6 @@ soup_session_constructor (GType                  type,
 		 * we just set flags saying to do it later.
 		 */
 		priv->proxy_use_default = TRUE;
-		priv->tlsdb_use_default = TRUE;
 
 		soup_session_add_feature_by_type (session, SOUP_TYPE_CONTENT_DECODER);
 	}
@@ -3413,10 +3415,9 @@ soup_session_class_init (SoupSessionClass *session_class)
 	 * See #SoupSession:ssl-strict for more information on how
 	 * https certificate validation is handled.
 	 *
-	 * Note that the default value of %TRUE only applies to plain
-	 * #SoupSessions. If you are using #SoupSessionAsync or
-	 * #SoupSessionSync, the default value is %FALSE, for backward
-	 * compatibility.
+	 * If you are using #SoupSessionAsync or
+	 * #SoupSessionSync, on libsoup older than 2.72.1, the default value
+	 * is %FALSE, for backward compatibility.
 	 *
 	 * Since: 2.38
 	 **/
@@ -3453,7 +3454,8 @@ soup_session_class_init (SoupSessionClass *session_class)
 	 * #SoupSession:ssl-use-system-ca-file will be %TRUE by
 	 * default, and so this property will be a copy of the system
 	 * CA database. If you are using #SoupSessionAsync or
-	 * #SoupSessionSync, this property will be %NULL by default.
+	 * #SoupSessionSync, on libsoup older than 2.72.1, this property
+	 * will be %NULL by default.
 	 *
 	 * Since: 2.38
 	 **/
diff --git a/tests/no-ssl-test.c b/tests/no-ssl-test.c
index c9d9bcadb146e32e45548057cfb5f81fe16fbb6e..36706fc086f6b68ff6a82e42ef8d9cb1c7bfa5a7 100644
--- a/tests/no-ssl-test.c
+++ b/tests/no-ssl-test.c
@@ -72,8 +72,8 @@ do_session_property_tests (void)
 		      "tls-database", &tlsdb,
 		      "ssl-ca-file", &ca_file,
 		      NULL);
-	soup_test_assert (!use_system, "ssl-use-system-ca-file defaults to TRUE");
-	soup_test_assert (tlsdb == NULL, "tls-database set by default");
+	soup_test_assert (use_system, "ssl-use-system-ca-file defaults to FALSE");
+	soup_test_assert (tlsdb != NULL, "tls-database not set by default");
 	soup_test_assert (ca_file == NULL, "ca-file set by default");
 
 	g_object_set (G_OBJECT (session),
diff --git a/tests/ssl-test.c b/tests/ssl-test.c
index 2c93ca85f196f32880f5cb39539a1036db0d78df..501c34793de83ebbd83853d38ef3494b55c1e408 100644
--- a/tests/ssl-test.c
+++ b/tests/ssl-test.c
@@ -174,10 +174,10 @@ do_session_property_tests (void)
 		      "tls-database", &tlsdb,
 		      "ssl-ca-file", &ca_file,
 		      NULL);
-	soup_test_assert (!use_system,
-			  "ssl-use-system-ca-file defaults to TRUE");
-	soup_test_assert (tlsdb == NULL,
-			  "tls-database set by default");
+	soup_test_assert (use_system,
+			  "ssl-use-system-ca-file defaults to FALSE");
+	soup_test_assert (tlsdb != NULL,
+			  "tls-database not set by default");
 	soup_test_assert (ca_file == NULL,
 			  "ca-file set by default");
 
@@ -195,7 +195,7 @@ do_session_property_tests (void)
 	g_assert_true (use_system_changed);
 	soup_test_assert (tlsdb != NULL,
 			  "setting ssl-use-system-ca-file didn't set tls-database");
-	g_assert_true (tlsdb_changed);
+	g_assert_false (tlsdb_changed);
 	g_clear_object (&tlsdb);
 	soup_test_assert (ca_file == NULL,
 			  "setting ssl-use-system-ca-file set ssl-ca-file");