diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 3c812f25a4..8a1c19d8f6 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -928,6 +928,22 @@ const char *ssl_get_ciphersuite( const ssl_context *ssl );
  */
 const char *ssl_get_version( const ssl_context *ssl );
 
+/**
+ * \brief          Return the peer certificate from the current connection
+ *
+ *                 Note: Can be NULL in case no certificate was sent during
+ *                 the handshake. Different calls for the same connection can
+ *                 return the same or different pointers for the same
+ *                 certificate and even a different certificate altogether.
+ *                 The peer cert CAN change in a single connection if
+ *                 renegotiation is performed.
+ *
+ * \param ssl      SSL context
+ *
+ * \return         the current peer certificate
+ */
+const x509_cert *ssl_get_peer_cert( const ssl_context *ssl );
+
 /**
  * \brief          Perform the SSL handshake
  *
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index f5fcba47b7..b63c7d4c24 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3405,6 +3405,14 @@ const char *ssl_get_version( const ssl_context *ssl )
     return( "unknown" );
 }
 
+const x509_cert *ssl_get_peer_cert( const ssl_context *ssl )
+{
+    if( ssl == NULL || ssl->session == NULL )
+        return NULL;
+
+    return ssl->session->peer_cert;
+}
+
 const int ssl_default_ciphersuites[] =
 {
 #if defined(POLARSSL_DHM_C)
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index ae98b1bad9..949ef58f55 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -539,7 +539,7 @@ int main( int argc, char *argv[] )
 
     printf( "  . Peer certificate information    ...\n" );
     x509parse_cert_info( (char *) buf, sizeof( buf ) - 1, "      ",
-                         ssl.session->peer_cert );
+                         ssl_get_peer_cert( &ssl ) );
     printf( "%s\n", buf );
 
     /*
diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c
index b450030c98..b303df8d06 100644
--- a/programs/ssl/ssl_mail_client.c
+++ b/programs/ssl/ssl_mail_client.c
@@ -172,7 +172,7 @@ int do_handshake( ssl_context *ssl, struct options *opt )
 
     printf( "  . Peer certificate information    ...\n" );
     x509parse_cert_info( (char *) buf, sizeof( buf ) - 1, "      ",
-                         ssl->session->peer_cert );
+                         ssl_get_peer_cert( &ssl ) );
     printf( "%s\n", buf );
 
     return( 0 );
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 5076be398d..3e2c35e1bf 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -501,7 +501,7 @@ reset:
     {
         printf( " failed\n" );
 
-        if( !ssl.session->peer_cert )
+        if( !ssl_get_peer_cert( &ssl ) )
             printf( "  ! no client certificate sent\n" );
 
         if( ( ret & BADCERT_EXPIRED ) != 0 )
@@ -518,11 +518,11 @@ reset:
     else
         printf( " ok\n" );
 
-    if( ssl.session->peer_cert )
+    if( ssl_get_peer_cert( &ssl ) )
     {
         printf( "  . Peer certificate information    ...\n" );
         x509parse_cert_info( (char *) buf, sizeof( buf ) - 1, "      ",
-                             ssl.session->peer_cert );
+                             ssl_get_peer_cert( &ssl ) );
         printf( "%s\n", buf );
     }