diff --git a/boring/src/asn1.rs b/boring/src/asn1.rs
index 27f375f29..1e585dcab 100644
--- a/boring/src/asn1.rs
+++ b/boring/src/asn1.rs
@@ -278,7 +278,7 @@ impl fmt::Display for Asn1TimeRef {
 
 impl fmt::Debug for Asn1TimeRef {
     fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
-        f.write_str(&self.to_string())
+        fmt::Display::fmt(self, f)
     }
 }
 
@@ -626,7 +626,7 @@ impl fmt::Display for Asn1ObjectRef {
 
 impl fmt::Debug for Asn1ObjectRef {
     fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result {
-        fmt.write_str(self.to_string().as_str())
+        fmt::Display::fmt(self, fmt)
     }
 }
 
diff --git a/boring/src/x509/extension.rs b/boring/src/x509/extension.rs
index 1ed6f4f5b..0f51c3b59 100644
--- a/boring/src/x509/extension.rs
+++ b/boring/src/x509/extension.rs
@@ -79,7 +79,7 @@ impl BasicConstraints {
             value.push_str("FALSE");
         }
         if let Some(pathlen) = self.pathlen {
-            write!(value, ",pathlen:{pathlen}").unwrap();
+            write!(value, ",pathlen:{pathlen}").map_err(ErrorStack::internal_error)?;
         }
         X509Extension::new_nid(None, None, Nid::BASIC_CONSTRAINTS, &value)
     }
@@ -454,31 +454,31 @@ impl SubjectAlternativeName {
 
     /// Sets the `email` flag.
     pub fn email(&mut self, email: &str) -> &mut SubjectAlternativeName {
-        self.items.push(RustGeneralName::Email(email.to_string()));
+        self.items.push(RustGeneralName::Email(email.to_owned()));
         self
     }
 
     /// Sets the `uri` flag.
     pub fn uri(&mut self, uri: &str) -> &mut SubjectAlternativeName {
-        self.items.push(RustGeneralName::Uri(uri.to_string()));
+        self.items.push(RustGeneralName::Uri(uri.to_owned()));
         self
     }
 
     /// Sets the `dns` flag.
     pub fn dns(&mut self, dns: &str) -> &mut SubjectAlternativeName {
-        self.items.push(RustGeneralName::Dns(dns.to_string()));
+        self.items.push(RustGeneralName::Dns(dns.to_owned()));
         self
     }
 
     /// Sets the `rid` flag.
     pub fn rid(&mut self, rid: &str) -> &mut SubjectAlternativeName {
-        self.items.push(RustGeneralName::Rid(rid.to_string()));
+        self.items.push(RustGeneralName::Rid(rid.to_owned()));
         self
     }
 
     /// Sets the `ip` flag.
     pub fn ip(&mut self, ip: &str) -> &mut SubjectAlternativeName {
-        self.items.push(RustGeneralName::Ip(ip.to_string()));
+        self.items.push(RustGeneralName::Ip(ip.to_owned()));
         self
     }
 
diff --git a/boring/src/x509/store.rs b/boring/src/x509/store.rs
index 95aedda4d..a9f4195ba 100644
--- a/boring/src/x509/store.rs
+++ b/boring/src/x509/store.rs
@@ -95,12 +95,16 @@ impl X509StoreBuilderRef {
         unsafe { cvt(ffi::X509_STORE_set_default_paths(self.as_ptr())) }
     }
 
+    /// Sets certificate chain validation related flags.
+    #[corresponds(X509_STORE_set_flags)]
+    pub fn try_set_flags(&mut self, flags: X509VerifyFlags) -> Result<(), ErrorStack> {
+        unsafe { cvt(ffi::X509_STORE_set_flags(self.as_ptr(), flags.bits())) }
+    }
+
     /// Sets certificate chain validation related flags.
     #[corresponds(X509_STORE_set_flags)]
     pub fn set_flags(&mut self, flags: X509VerifyFlags) {
-        unsafe {
-            cvt(ffi::X509_STORE_set_flags(self.as_ptr(), flags.bits())).unwrap();
-        }
+        self.try_set_flags(flags).expect("use try_set_flags");
     }
 
     /// Returns a mutable reference to the X509 verification configuration.
diff --git a/boring/src/x509/tests/trusted_first.rs b/boring/src/x509/tests/trusted_first.rs
index 3755a876b..c5ecaabf0 100644
--- a/boring/src/x509/tests/trusted_first.rs
+++ b/boring/src/x509/tests/trusted_first.rs
@@ -43,7 +43,7 @@ fn test_verify_cert() {
             &leaf,
             &[&root1, &root2],
             &[&intermediate, &root1_cross],
-            |param| param.set_flags(X509VerifyFlags::TRUSTED_FIRST),
+            |param| param.try_set_flags(X509VerifyFlags::TRUSTED_FIRST).unwrap(),
         )
     );
 
@@ -60,7 +60,9 @@ fn test_verify_cert() {
     assert_eq!(
         Ok(()),
         verify(&leaf, &[&root1], &[&intermediate, &root1_cross], |param| {
-            param.clear_flags(X509VerifyFlags::TRUSTED_FIRST);
+            param
+                .try_clear_flags(X509VerifyFlags::TRUSTED_FIRST)
+                .unwrap();
         })
     );
 }
diff --git a/boring/src/x509/verify.rs b/boring/src/x509/verify.rs
index 3ca7ca9d1..e748ff78f 100644
--- a/boring/src/x509/verify.rs
+++ b/boring/src/x509/verify.rs
@@ -74,28 +74,37 @@ impl X509VerifyParamRef {
     /// Set verification flags.
     #[corresponds(X509_VERIFY_PARAM_set_flags)]
     pub fn set_flags(&mut self, flags: X509VerifyFlags) {
+        self.try_set_flags(flags).expect("use try_set_flags");
+    }
+
+    /// Set verification flags.
+    #[corresponds(X509_VERIFY_PARAM_set_flags)]
+    pub fn try_set_flags(&mut self, flags: X509VerifyFlags) -> Result<(), ErrorStack> {
         unsafe {
             cvt(ffi::X509_VERIFY_PARAM_set_flags(
                 self.as_ptr(),
                 flags.bits(),
             ))
-            .unwrap();
         }
     }
 
     /// Clear verification flags.
     #[corresponds(X509_VERIFY_PARAM_clear_flags)]
     pub fn clear_flags(&mut self, flags: X509VerifyFlags) {
+        self.try_clear_flags(flags).expect("use try_clear_flags");
+    }
+
+    /// Clear verification flags.
+    #[corresponds(X509_VERIFY_PARAM_clear_flags)]
+    pub fn try_clear_flags(&mut self, flags: X509VerifyFlags) -> Result<(), ErrorStack> {
         unsafe {
             cvt(ffi::X509_VERIFY_PARAM_clear_flags(
                 self.as_ptr(),
                 flags.bits(),
             ))
-            .unwrap();
         }
     }
 
-    ///
     /// Set the host flags.
     #[corresponds(X509_VERIFY_PARAM_set_hostflags)]
     pub fn set_hostflags(&mut self, hostflags: X509CheckFlags) {