diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 8602ec6c..ac1a63b4 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -4398,10 +4398,6 @@ typedef struct ssl3_state_st {
      * didn't use it to create the master secret initially. */
     char extended_master_secret;
 
-    /* Client-only: peer_psk_identity_hint is the psk_identity_hint sent by the
-     * server when using a PSK key exchange. */
-    char *peer_psk_identity_hint;
-
     /* new_mac_secret_size is unused and exists only until wpa_supplicant can
      * be updated. It is only needed for EAP-FAST, which we don't support. */
     uint8_t new_mac_secret_size;
diff --git a/ssl/handshake_client.c b/ssl/handshake_client.c
index d48b000f..b8153f5a 100644
--- a/ssl/handshake_client.c
+++ b/ssl/handshake_client.c
@@ -1116,20 +1116,13 @@ static int ssl3_get_server_key_exchange(SSL *ssl) {
   }
 
   if (ssl->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) {
+    /* Some ciphers (pure PSK) have an optional ServerKeyExchange message. */
     if (ssl_cipher_requires_server_key_exchange(ssl->s3->tmp.new_cipher)) {
       OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_MESSAGE);
       ssl3_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
       return -1;
     }
 
-    /* In plain PSK ciphersuite, ServerKeyExchange may be omitted to send no
-     * identity hint. */
-    if (ssl->s3->tmp.new_cipher->algorithm_auth & SSL_aPSK) {
-      /* TODO(davidben): This should be reset in one place with the rest of the
-       * handshake state. */
-      OPENSSL_free(ssl->s3->tmp.peer_psk_identity_hint);
-      ssl->s3->tmp.peer_psk_identity_hint = NULL;
-    }
     ssl->s3->tmp.reuse_message = 1;
     return 1;
   }
@@ -1168,7 +1161,7 @@ static int ssl3_get_server_key_exchange(SSL *ssl) {
     }
 
     /* Save the identity hint as a C string. */
-    if (!CBS_strdup(&psk_identity_hint, &ssl->s3->tmp.peer_psk_identity_hint)) {
+    if (!CBS_strdup(&psk_identity_hint, &ssl->s3->hs->peer_psk_identity_hint)) {
       al = SSL_AD_INTERNAL_ERROR;
       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
       goto f_err;
@@ -1542,7 +1535,7 @@ static int ssl3_send_client_key_exchange(SSL *ssl) {
     char identity[PSK_MAX_IDENTITY_LEN + 1];
     memset(identity, 0, sizeof(identity));
     psk_len = ssl->psk_client_callback(
-        ssl, ssl->s3->tmp.peer_psk_identity_hint, identity, sizeof(identity),
+        ssl, ssl->s3->hs->peer_psk_identity_hint, identity, sizeof(identity),
         psk, sizeof(psk));
     if (psk_len == 0) {
       OPENSSL_PUT_ERROR(SSL, SSL_R_PSK_IDENTITY_NOT_FOUND);
diff --git a/ssl/internal.h b/ssl/internal.h
index 13dec3ac..c090094a 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -922,6 +922,10 @@ struct ssl_handshake_st {
   size_t num_peer_sigalgs;
 
   uint8_t session_tickets_sent;
+
+  /* peer_psk_identity_hint, on the client, is the psk_identity_hint sent by the
+   * server when using a TLS 1.2 PSK key exchange. */
+  char *peer_psk_identity_hint;
 } /* SSL_HANDSHAKE */;
 
 SSL_HANDSHAKE *ssl_handshake_new(enum ssl_hs_wait_t (*do_handshake)(SSL *ssl));
diff --git a/ssl/s3_both.c b/ssl/s3_both.c
index 4baa839f..23cda928 100644
--- a/ssl/s3_both.c
+++ b/ssl/s3_both.c
@@ -166,6 +166,7 @@ void ssl_handshake_free(SSL_HANDSHAKE *hs) {
   OPENSSL_free(hs->key_share_bytes);
   OPENSSL_free(hs->public_key);
   OPENSSL_free(hs->peer_sigalgs);
+  OPENSSL_free(hs->peer_psk_identity_hint);
   OPENSSL_free(hs);
 }
 
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 3378526e..2a7bbae7 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -210,7 +210,6 @@ void ssl3_free(SSL *ssl) {
   sk_X509_NAME_pop_free(ssl->s3->tmp.ca_names, X509_NAME_free);
   OPENSSL_free(ssl->s3->tmp.certificate_types);
   OPENSSL_free(ssl->s3->tmp.peer_supported_group_list);
-  OPENSSL_free(ssl->s3->tmp.peer_psk_identity_hint);
   SSL_SESSION_free(ssl->s3->new_session);
   SSL_SESSION_free(ssl->s3->established_session);
   ssl3_free_handshake_buffer(ssl);