diff --git a/tls.c b/tls.c
index de1487ac83..0d1372f2da 100644
--- a/tls.c
+++ b/tls.c
@@ -33,26 +33,30 @@ const unsigned char *ssl_get_peer_cn(conn *c, int *len) {
         return NULL;
     }
 
-    // get0 to avoid getting a reference.
-    X509 *cert = SSL_get0_peer_certificate(c->ssl);
+    // can't use get0 to avoid getting a reference since that requires 3.0.0+
+    X509 *cert = SSL_get_peer_certificate(c->ssl);
     if (cert == NULL) {
         return NULL;
     }
     X509_NAME *name = X509_get_subject_name(cert);
     if (name == NULL) {
+        X509_free(cert);
         return NULL;
     }
 
     int r = X509_NAME_get_index_by_NID(name, NID_commonName, -1);
     if (r == -1) {
+        X509_free(cert);
         return NULL;
     }
     ASN1_STRING *asn1 = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, r));
 
     if (asn1 == NULL) {
+        X509_free(cert);
         return NULL;
     }
     *len = ASN1_STRING_length(asn1);
+    X509_free(cert);
     return ASN1_STRING_get0_data(asn1);
 }