diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index d11db3f55..69d3b7593 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1615,12 +1615,7 @@ struct mbedtls_ssl_context
     /*
      * PKI layer
      */
-#if defined(MBEDTLS_SSL_CLI_C)
-    int MBEDTLS_PRIVATE(client_auth);           /*!< used to check if CertificateRequest is
-                                                     received from server side. If
-                                                     CertificateReqeust is received, Certificate
-                                                     and CertificateVerify should be sent to server */
-#endif /* MBEDTLS_SSL_CLI_C */
+
     /*
      * User settings
      */
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index e411b7049..825034a8d 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -3137,12 +3137,13 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
     }
 
     ssl->state++;
-    ssl->client_auth = ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST );
+    ssl->handshake->client_auth =
+                    ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST );
 
     MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",
-                        ssl->client_auth ? "a" : "no" ) );
+                        ssl->handshake->client_auth ? "a" : "no" ) );
 
-    if( ssl->client_auth == 0 )
+    if( ssl->handshake->client_auth == 0 )
     {
         /* Current message is probably the ServerHelloDone */
         ssl->keep_current_message = 1;
@@ -3794,7 +3795,8 @@ static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
         return( 0 );
     }
 
-    if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL )
+    if( ssl->handshake->client_auth == 0 ||
+        mbedtls_ssl_own_cert( ssl ) == NULL )
     {
         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
         ssl->state++;
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 0c43c795a..a8a7119a5 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -768,6 +768,12 @@ struct mbedtls_ssl_handshake_params
                                 * but can be overwritten by the HRR. */
 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
 
+#if defined(MBEDTLS_SSL_CLI_C)
+    int client_auth;           /*!< used to check if CertificateRequest is received
+                                    from server side. If CertificateReqeust is
+                                    received, Certificate and CertificateVerify
+                                    should be sent to server */
+#endif /* MBEDTLS_SSL_CLI_C */
     /*
      * State-local variables used during the processing
      * of a specific handshake state.
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index f261a6a89..87fa395e5 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1701,7 +1701,7 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
 #if defined(MBEDTLS_SSL_CLI_C)
     if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
     {
-        if( ssl->client_auth == 0 )
+        if( ssl->handshake->client_auth == 0 )
         {
             MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
             ssl->state++;