diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h
index 983ee03fe..eb96703a5 100644
--- a/include/haproxy/openssl-compat.h
+++ b/include/haproxy/openssl-compat.h
@@ -291,6 +291,11 @@ static inline const ASN1_TIME *X509_REVOKED_get0_revocationDate(const X509_REVOK
 {
     return x->revocationDate;
 }
+
+static inline X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx)
+{
+    return ctx->cert;
+}
 #endif
 
 #if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) || (LIBRESSL_VERSION_NUMBER >= 0x2070200fL)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index bc827833d..83003d9d0 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1592,14 +1592,12 @@ int ssl_sock_bind_verifycbk(int ok, X509_STORE_CTX *x_store)
 		 * chain, we might never call this verify callback on the client
 		 * certificate's depth (which is 0) so we try to store the
 		 * reference right now. */
-		if (X509_STORE_CTX_get0_chain(x_store) != NULL) {
-			certs = X509_STORE_CTX_get1_chain(x_store);
-			if (certs) {
-				client_crt = sk_X509_value(certs, 0);
-				if (client_crt) {
-					X509_up_ref(client_crt);
-					SSL_set_ex_data(ssl, ssl_client_crt_ref_index, client_crt);
-				}
+		certs = X509_STORE_CTX_get1_chain(x_store);
+		if (certs) {
+			client_crt = sk_X509_value(certs, 0);
+			if (client_crt) {
+				X509_up_ref(client_crt);
+				SSL_set_ex_data(ssl, ssl_client_crt_ref_index, client_crt);
 			}
 			sk_X509_pop_free(certs, X509_free);
 		}