diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 30f5035cbc..88427effb5 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -608,7 +608,7 @@ static int ssl_generate_random( mbedtls_ssl_context *ssl )
      */
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
-        ssl->handshake->verify_cookie != NULL )
+        ssl->handshake->cookie != NULL )
     {
         return( 0 );
     }
@@ -846,7 +846,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
     {
         MBEDTLS_SSL_CHK_BUF_PTR( p, end, 1 );
 
-        if( ssl->handshake->verify_cookie == NULL )
+        if( ssl->handshake->cookie == NULL )
         {
             MBEDTLS_SSL_DEBUG_MSG( 3, ( "no verify cookie to send" ) );
             *p++ = 0;
@@ -854,15 +854,15 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
         else
         {
             MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
-                              ssl->handshake->verify_cookie,
-                              ssl->handshake->verify_cookie_len );
+                                   ssl->handshake->cookie,
+                                   ssl->handshake->verify_cookie_len );
 
             *p++ = ssl->handshake->verify_cookie_len;
 
             MBEDTLS_SSL_CHK_BUF_PTR( p, end,
                                      ssl->handshake->verify_cookie_len );
-            memcpy( p, ssl->handshake->verify_cookie,
-                       ssl->handshake->verify_cookie_len );
+            memcpy( p, ssl->handshake->cookie,
+                    ssl->handshake->verify_cookie_len );
             p += ssl->handshake->verify_cookie_len;
         }
     }
@@ -1645,16 +1645,16 @@ static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
     }
     MBEDTLS_SSL_DEBUG_BUF( 3, "cookie", p, cookie_len );
 
-    mbedtls_free( ssl->handshake->verify_cookie );
+    mbedtls_free( ssl->handshake->cookie );
 
-    ssl->handshake->verify_cookie = mbedtls_calloc( 1, cookie_len );
-    if( ssl->handshake->verify_cookie  == NULL )
+    ssl->handshake->cookie = mbedtls_calloc( 1, cookie_len );
+    if( ssl->handshake->cookie  == NULL )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", cookie_len ) );
         return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
     }
 
-    memcpy( ssl->handshake->verify_cookie, p, cookie_len );
+    memcpy( ssl->handshake->cookie, p, cookie_len );
     ssl->handshake->verify_cookie_len = cookie_len;
 
     /* Start over at ClientHello */
@@ -1736,8 +1736,8 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
         else
         {
             /* We made it through the verification process */
-            mbedtls_free( ssl->handshake->verify_cookie );
-            ssl->handshake->verify_cookie = NULL;
+            mbedtls_free( ssl->handshake->cookie );
+            ssl->handshake->cookie = NULL;
             ssl->handshake->verify_cookie_len = 0;
         }
     }
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 7ee9883204..4618d4612e 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -704,17 +704,20 @@ struct mbedtls_ssl_handshake_params
 
     } buffering;
 
-#if defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
-    unsigned char *verify_cookie;       /*!<  Cli: HelloVerifyRequest cookie
-                                         *    for dtls / tls 1.3
-                                         *    Srv: unused                    */
-    unsigned char verify_cookie_len;    /*!<  Cli: cookie length for
-                                         *    dtls / tls 1.3
+#if defined(MBEDTLS_SSL_CLI_C) && \
+    ( defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3) )
+    unsigned char *cookie;              /*!<  HelloVerifyRequest cookie for DTLS
+                                         *    HelloRetryRequest cookie for TLS 1.3 */
+#endif /* MBEDTLS_SSL_CLI_C &&
+          ( MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 ) */
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    unsigned char verify_cookie_len;    /*!<  Cli: HelloVerifyRequest cookie
+                                         *    length
                                          *    Srv: flag for sending a cookie */
-    uint16_t hrr_cookie_len;       /*!<  Cli: hrr cookie length for
-                                         *    dtls / tls 1.3
-                                         *    Srv: unused                    */
-#endif /* MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 */
+#endif /* MBEDTLS_SSL_PROTO_DTLS */
+#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
+    uint16_t hrr_cookie_len;            /*!<  HelloRetryRequest cookie length */
+#endif /* MBEDTLS_SSL_CLI_C || MBEDTLS_SSL_PROTO_TLS1_3 */
 
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
     unsigned int out_msg_seq;           /*!<  Outgoing handshake sequence number */
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 0177add1f4..7c7c1601f8 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3100,9 +3100,11 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
     mbedtls_pk_free( &handshake->peer_pubkey );
 #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
 
-#if defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
-    mbedtls_free( handshake->verify_cookie );
-#endif /* MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 */
+#if defined(MBEDTLS_SSL_CLI_C) && \
+    ( defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3) )
+    mbedtls_free( handshake->cookie );
+#endif /* MBEDTLS_SSL_CLI_C &&
+          ( MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 ) */
 
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
     mbedtls_ssl_flight_free( handshake->flight );
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 91791b83e3..c52c6c2526 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -671,10 +671,10 @@ static int ssl_tls13_parse_cookie_ext( mbedtls_ssl_context *ssl,
     MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, cookie_len );
     MBEDTLS_SSL_DEBUG_BUF( 3, "cookie extension", p, cookie_len );
 
-    mbedtls_free( handshake->verify_cookie );
+    mbedtls_free( handshake->cookie );
     handshake->hrr_cookie_len = 0;
-    handshake->verify_cookie = mbedtls_calloc( 1, cookie_len );
-    if( handshake->verify_cookie == NULL )
+    handshake->cookie = mbedtls_calloc( 1, cookie_len );
+    if( handshake->cookie == NULL )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1,
                 ( "alloc failed ( %ud bytes )",
@@ -682,7 +682,7 @@ static int ssl_tls13_parse_cookie_ext( mbedtls_ssl_context *ssl,
         return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
     }
 
-    memcpy( handshake->verify_cookie, p, cookie_len );
+    memcpy( handshake->cookie, p, cookie_len );
     handshake->hrr_cookie_len = cookie_len;
 
     return( 0 );
@@ -697,14 +697,14 @@ static int ssl_tls13_write_cookie_ext( mbedtls_ssl_context *ssl,
 
     *out_len = 0;
 
-    if( ssl->handshake->verify_cookie == NULL )
+    if( ssl->handshake->cookie == NULL )
     {
         MBEDTLS_SSL_DEBUG_MSG( 3, ( "no cookie to send; skip extension" ) );
         return( 0 );
     }
 
     MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, cookie",
-                           ssl->handshake->verify_cookie,
+                           ssl->handshake->cookie,
                            ssl->handshake->hrr_cookie_len );
 
     MBEDTLS_SSL_CHK_BUF_PTR( p, end, ssl->handshake->hrr_cookie_len + 6 );
@@ -717,7 +717,7 @@ static int ssl_tls13_write_cookie_ext( mbedtls_ssl_context *ssl,
     p += 6;
 
     /* Cookie */
-    memcpy( p, ssl->handshake->verify_cookie, ssl->handshake->hrr_cookie_len );
+    memcpy( p, ssl->handshake->cookie, ssl->handshake->hrr_cookie_len );
 
     *out_len = ssl->handshake->hrr_cookie_len + 6;