diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 18994eaa93..6cef573853 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -277,7 +277,12 @@ verify_callback(int state, X509_STORE_CTX *x509ctx,
 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
 static uschar txt[256];
 
+if (tlsp->peercert)
+  X509_free(tlsp->peercert);
+tlsp->peercert = X509_dup(cert);
+
 X509_NAME_oneline(X509_get_subject_name(cert), CS txt, sizeof(txt));
+tlsp->peerdn = txt;
 
 if (state == 0)
   {
@@ -289,7 +294,6 @@ if (state == 0)
   *calledp = TRUE;
   if (!*optionalp)
     {
-    tlsp->peercert = X509_dup(cert);
     return 0;			    /* reject */
     }
   DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
@@ -318,9 +322,6 @@ else
   uschar * verify_cert_hostnames;
 #endif
 
-  tlsp->peerdn = txt;
-  tlsp->peercert = X509_dup(cert);
-
 #ifdef EXPERIMENTAL_CERTNAMES
   if (  tlsp == &tls_out
      && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))