diff --git a/library/ssl_client.c b/library/ssl_client.c
index bd9edf15f0..2c5f664945 100644
--- a/library/ssl_client.c
+++ b/library/ssl_client.c
@@ -79,7 +79,7 @@ static int ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
     {
         ssl->session_negotiate->hostname = mbedtls_calloc( 1, hostname_len );
         if( ssl->session_negotiate->hostname == NULL )
-            return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+            return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
         memcpy(ssl->session_negotiate->hostname, ssl->hostname, hostname_len);
     }
     ssl->session_negotiate->hostname_len = hostname_len;
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 9238761639..fa4e6930e5 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -300,12 +300,11 @@ int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst,
 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
     if( src->hostname != NULL )
     {
-        dst->hostname = mbedtls_calloc( 1, src->hostname_len + 1 );
+        dst->hostname = mbedtls_calloc( 1, src->hostname_len );
         if( dst->hostname == NULL )
             return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
 
         memcpy( dst->hostname, src->hostname, src->hostname_len );
-        dst->hostname[src->hostname_len] = '\0';
     }
 #endif
 
@@ -1957,6 +1956,7 @@ mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
  *       uint32 ticket_age_add;
  *       uint8 ticket_flags;
  *       opaque resumption_key<0..255>;
+ *       opaque hostname<1..2^8-1>;
  *       select ( endpoint ) {
  *            case client: ClientOnlyData;
  *            case server: uint64 start_time;
@@ -2021,14 +2021,14 @@ static int ssl_tls13_session_save( const mbedtls_ssl_session *session,
     memcpy( p, session->resumption_key, session->resumption_key_len );
     p += session->resumption_key_len;
 
+    p[0] = session->hostname_len;
+    p++;
 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && defined(MBEDTLS_SSL_CLI_C)
     if( session->endpoint == MBEDTLS_SSL_IS_CLIENT &&
-        session->hostname_len != 0 &&
+        session->hostname_len > 0 &&
         session->hostname != NULL )
     {
         /* save host name */
-        p[0] = session->hostname_len;
-        p++;
         memcpy( p, session->hostname, session->hostname_len );
         p += session->hostname_len;
     }
@@ -2100,11 +2100,14 @@ static int ssl_tls13_session_load( mbedtls_ssl_session *session,
         p += 1;
         if( end - p < session->hostname_len )
             return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
-        session->hostname = mbedtls_calloc( 1, session->hostname_len );
-        if( session->hostname == NULL )
-            return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
-        memcpy( session->hostname, p, session->hostname_len );
-        p += session->hostname_len;
+        if( session->hostname_len > 0 )
+        {
+            session->hostname = mbedtls_calloc( 1, session->hostname_len );
+            if( session->hostname == NULL )
+                return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+            memcpy( session->hostname, p, session->hostname_len );
+            p += session->hostname_len;
+        }
     }
 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION && MBEDTLS_SSL_CLI_C */