diff --git a/include/haproxy/ssl_sock.h b/include/haproxy/ssl_sock.h
index 8d1ce50b7..d7cc33075 100644
--- a/include/haproxy/ssl_sock.h
+++ b/include/haproxy/ssl_sock.h
@@ -104,13 +104,16 @@ void ssl_free_engines(void);
 #ifdef HAVE_SSL_PROVIDERS
 void ssl_unload_providers(void);
 #endif
+
 #ifdef HAVE_SSL_CLIENT_HELLO_CB
 int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv);
-#ifdef OPENSSL_IS_BORINGSSL
+# ifdef OPENSSL_IS_BORINGSSL
 int ssl_sock_switchctx_cbk(const struct ssl_early_callback_ctx *ctx);
-#else
+# else /* ! OPENSSL_IS_BORINGSSL */
 int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *arg);
-#endif
+# endif
+#else /* ! HAVE_SSL_CLIENT_HELLO_CB */
+int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *priv);
 #endif
 
 SSL_CTX *ssl_sock_assign_generated_cert(unsigned int key, struct bind_conf *bind_conf, SSL *ssl);
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index caf41eb9a..5af91d1b8 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -2945,7 +2945,7 @@ allow_early:
  * warning when no match is found, which implies the default (first) cert
  * will keep being used.
  */
-static int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *priv)
+int ssl_sock_switchctx_cbk(SSL *ssl, int *al, void *priv)
 {
 	const char *servername;
 	const char *wildp = NULL;