diff --git a/lib/cert-cred.c b/lib/cert-cred.c
index d3777e51f..2150e903f 100644
--- a/lib/cert-cred.c
+++ b/lib/cert-cred.c
@@ -387,6 +387,13 @@ static int call_legacy_cert_cb1(gnutls_session_t session,
 	if (ret < 0)
 		return gnutls_assert_val(ret);
 
+	if (st2.ncerts == 0) {
+		*pcert_length = 0;
+		*ocsp_length = 0;
+		*privkey = NULL;
+		return 0;
+	}
+
 	if (st2.cert_type != GNUTLS_CRT_X509) {
 		gnutls_assert();
 		ret = GNUTLS_E_INVALID_REQUEST;
@@ -503,7 +510,10 @@ void gnutls_certificate_set_retrieve_function
      gnutls_certificate_retrieve_function * func)
 {
 	cred->legacy_cert_cb1 = func;
-	cred->get_cert_callback3 = call_legacy_cert_cb1;
+	if (!func)
+		cred->get_cert_callback3 = NULL;
+	else
+		cred->get_cert_callback3 = call_legacy_cert_cb1;
 }
 
 static int call_legacy_cert_cb2(gnutls_session_t session,
@@ -578,7 +588,10 @@ void gnutls_certificate_set_retrieve_function2
      gnutls_certificate_retrieve_function2 * func) 
 {
 	cred->legacy_cert_cb2 = func;
-	cred->get_cert_callback3 = call_legacy_cert_cb2;
+	if (!func)
+		cred->get_cert_callback3 = NULL;
+	else
+		cred->get_cert_callback3 = call_legacy_cert_cb2;
 }
 
 /**
diff --git a/lib/hello_ext.c b/lib/hello_ext.c
index a3027130a..f72afe77f 100644
--- a/lib/hello_ext.c
+++ b/lib/hello_ext.c
@@ -208,7 +208,7 @@ int hello_ext_parse(void *_ctx, unsigned tls_id, const uint8_t *data, unsigned d
 
 	if (tls_id == PRE_SHARED_KEY_TLS_ID) {
 		ctx->seen_pre_shared_key = 1;
-	} else if (ctx->seen_pre_shared_key) {
+	} else if (ctx->seen_pre_shared_key && session->security_parameters.entity == GNUTLS_SERVER) {
 		/* the pre-shared key extension must always be the last one,
 		 * draft-ietf-tls-tls13-28: 4.2.11 */
 		return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER);