diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 9e16093b3..e3d935506 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1636,10 +1636,16 @@ int mbedtls_ssl_set_cid( mbedtls_ssl_context *ssl,
  *                     otherwise, it is set to MBEDTLS_SSL_CID_DISABLED.
  * \param peer_cid     The address of the buffer in which to store the CID
  *                     chosen by the peer (if the CID extension is used).
+ *                     This may be \c NULL in case the value of peer CID
+ *                     isn't needed. If it is not \c NULL, \p peer_cid_len
+ *                     must not be \c NULL.
  * \param peer_cid_len The address at which to store the size of the CID
  *                     chosen by the peer (if the CID extension is used).
  *                     This is also the number of Bytes in \p peer_cid that
  *                     have been written.
+ *                     This may be \c NULL in case the length of the peer CID
+ *                     isn't needed. If it is \c NULL, \p peer_cid must be
+ *                     \c NULL, too.
  *
  * \note               This applies to the state of the CID negotiated in
  *                     the last complete handshake. If a handshake is in
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 4b93b2ca5..22adfc50c 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -194,9 +194,15 @@ int mbedtls_ssl_get_peer_cid( mbedtls_ssl_context *ssl,
         return( 0 );
     }
 
-    *peer_cid_len = ssl->transform_in->out_cid_len;
-    memcpy( peer_cid, ssl->transform_in->out_cid,
-            ssl->transform_in->out_cid_len );
+    if( peer_cid_len != NULL )
+    {
+        *peer_cid_len = ssl->transform_in->out_cid_len;
+        if( peer_cid != NULL )
+        {
+            memcpy( peer_cid, ssl->transform_in->out_cid,
+                    ssl->transform_in->out_cid_len );
+        }
+    }
 
     *enabled = MBEDTLS_SSL_CID_ENABLED;