diff --git a/src/openssl/tls.c b/src/openssl/tls.c
index ad940ef8..635ba5ee 100644
--- a/src/openssl/tls.c
+++ b/src/openssl/tls.c
@@ -342,6 +342,13 @@ _getdns_tls_session* _getdns_tls_connection_get_session(_getdns_tls_connection*
 	return res;
 }
 
+const char* _getdns_tls_connection_get_version(_getdns_tls_connection* conn)
+{
+	if (!conn || !conn->ssl)
+		return NULL;
+	return SSL_get_version(conn->ssl);
+}
+
 getdns_return_t _getdns_tls_connection_do_handshake(_getdns_tls_connection* conn)
 {
 	int r;
diff --git a/src/openssl/tls.h b/src/openssl/tls.h
index dda05030..7e95a165 100644
--- a/src/openssl/tls.h
+++ b/src/openssl/tls.h
@@ -83,6 +83,14 @@ getdns_return_t _getdns_tls_connection_set_curves_list(_getdns_tls_connection* c
 getdns_return_t _getdns_tls_connection_set_session(_getdns_tls_connection* conn, _getdns_tls_session* s);
 _getdns_tls_session* _getdns_tls_connection_get_session(_getdns_tls_connection* conn);
 
+/**
+ * Report the TLS version of the connection.
+ *
+ * @param conn	the connection.
+ * @return string with the connection description, NULL on error.
+ */
+const char* _getdns_tls_connection_get_version(_getdns_tls_connection* conn);
+
 /**
  * Attempt TLS handshake.
  *
diff --git a/src/stub.c b/src/stub.c
index 75ee576d..fdcc9db6 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -1865,7 +1865,7 @@ upstream_write_cb(void *userarg)
 					cert, &netreq->debug_tls_peer_cert.data);
 				X509_free(cert);
 			}
-			netreq->debug_tls_version = SSL_get_version(netreq->upstream->tls_obj->ssl);
+			netreq->debug_tls_version = _getdns_tls_connection_get_version(netreq->upstream->tls_obj);
 		}
 		/* Need this because auth status is reset on connection close */
 		netreq->debug_tls_auth_status = netreq->upstream->tls_auth_state;