diff --git a/src/native/libs/System.Security.Cryptography.Native/pal_ssl.c b/src/native/libs/System.Security.Cryptography.Native/pal_ssl.c
index e6bd41143c165..7e5f00822717e 100644
--- a/src/native/libs/System.Security.Cryptography.Native/pal_ssl.c
+++ b/src/native/libs/System.Security.Cryptography.Native/pal_ssl.c
@@ -673,7 +673,14 @@ int CryptoNative_SslCtxSetCaching(SSL_CTX* ctx, int mode, int cacheSize, int con
     // void shim functions don't lead to exceptions, so skip the unconditional error clearing.
 
     // We never reuse same CTX for both client and server
-    SSL_CTX_ctrl(ctx, SSL_CTRL_SET_SESS_CACHE_MODE,  mode ? SSL_SESS_CACHE_BOTH : SSL_SESS_CACHE_OFF, NULL);
+    int modeFlags = SSL_SESS_CACHE_BOTH;
+    if (newSessionCb && removeSessionCb)
+    {
+        // sessions are completely controlled externally (from .NET), disable internal cache
+        modeFlags |= SSL_SESS_CACHE_NO_INTERNAL_STORE;
+    }
+
+    SSL_CTX_ctrl(ctx, SSL_CTRL_SET_SESS_CACHE_MODE,  mode ? modeFlags : SSL_SESS_CACHE_OFF, NULL);
     if (mode == 0)
     {
         SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);