diff --git a/control/controlclient/direct.go b/control/controlclient/direct.go
index 5a83e3067..2c6b9ff56 100644
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@@ -16,7 +16,6 @@ import (
 	"io/ioutil"
 	"log"
 	"net/http"
-	"net/url"
 	"os"
 	"reflect"
 	"strconv"
@@ -116,10 +115,6 @@ func NewDirect(opts Options) (*Direct, error) {
 		return nil, errors.New("controlclient.New: no server URL specified")
 	}
 	opts.ServerURL = strings.TrimRight(opts.ServerURL, "/")
-	serverURL, err := url.Parse(opts.ServerURL)
-	if err != nil {
-		return nil, err
-	}
 	if opts.TimeNow == nil {
 		opts.TimeNow = time.Now
 	}
diff --git a/net/tlsdial/tlsdial.go b/net/tlsdial/tlsdial.go
index b8012ad85..c7d6e26fb 100644
--- a/net/tlsdial/tlsdial.go
+++ b/net/tlsdial/tlsdial.go
@@ -8,8 +8,6 @@ package tlsdial
 
 import "crypto/tls"
 
-var platformModifyConf func(*tls.Config)
-
 // Config returns a tls.Config for dialing the given host.
 // If base is non-nil, it's cloned as the base config before
 // being configured and returned.
@@ -22,9 +20,5 @@ func Config(host string, base *tls.Config) *tls.Config {
 	}
 	conf.ServerName = host
 
-	if platformModifyConf != nil {
-		platformModifyConf(conf)
-	}
-
 	return conf
 }
diff --git a/net/tlsdial/verify_darwin_arm64.go b/net/tlsdial/verify_darwin_arm64.go
deleted file mode 100644
index 2c349c1fd..000000000
--- a/net/tlsdial/verify_darwin_arm64.go
+++ /dev/null
@@ -1,58 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build darwin,arm64,usex509fork
-
-package tlsdial
-
-import (
-	"crypto/tls"
-	"errors"
-	"time"
-
-	"crypto/x509"
-
-	x509fork "tailscale.com/tempfork/x509"
-)
-
-func init() {
-	platformModifyConf = useX509Fork
-}
-
-func useX509Fork(conf *tls.Config) {
-	// Modify conf to use our fork of crypto/x509 instead.
-
-	// This prevents crypto/tls from using the standard library's
-	// x509. We will then be responsible for the rest.
-	conf.InsecureSkipVerify = true
-
-	// Do what crypto/tls would've done for us:
-	conf.VerifyPeerCertificate = func(rawCerts [][]byte, _verifiedChains [][]*x509.Certificate) error {
-		if conf.ServerName == "" {
-			return errors.New("no tls.Config.ServerName set")
-		}
-		if len(rawCerts) == 0 {
-			// Shouldn't happen, but.
-			return errors.New("no rawCerts from server")
-		}
-		certs := make([]*x509fork.Certificate, len(rawCerts))
-		for i, asn1Data := range rawCerts {
-			cert, err := x509fork.ParseCertificate(asn1Data)
-			if err != nil {
-				return err
-			}
-			certs[i] = cert
-		}
-		opts := x509fork.VerifyOptions{
-			CurrentTime:   time.Now(),
-			DNSName:       conf.ServerName,
-			Intermediates: x509fork.NewCertPool(),
-		}
-		for _, cert := range certs[1:] {
-			opts.Intermediates.AddCert(cert)
-		}
-		_, err := certs[0].Verify(opts)
-		return err
-	}
-}