diff --git a/src/internal.c b/src/internal.c
index 198db7584..b07df2b2e 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -5119,6 +5119,15 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
     ssl->sessionCtxSz = ctx->sessionCtxSz;
     XMEMCPY(ssl->sessionCtx, ctx->sessionCtx, ctx->sessionCtxSz);
     ssl->cbioFlag = ctx->cbioFlag;
+
+    if ((ssl->param = (WOLFSSL_X509_VERIFY_PARAM*)XMALLOC(
+                           sizeof(WOLFSSL_X509_VERIFY_PARAM),
+                           ssl->heap, DYNAMIC_TYPE_OPENSSL)) == NULL) {
+        WOLFSSL_MSG("ssl->param memory error");
+        return MEMORY_E;
+    }
+    XMEMSET(ssl->param, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM));
+
 #endif
 
     InitCiphers(ssl);
@@ -5682,7 +5691,11 @@ void SSL_ResourceFree(WOLFSSL* ssl)
         FreeWriteDup(ssl);
     }
 #endif
-
+#ifdef OPENSSL_EXTRA
+    if (ssl->param) {
+        XFREE(ssl->param, ssl->heap, DYNAMIC_TYPE_OPENSSL);
+    }
+#endif
 #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
     while (ssl->certReqCtx != NULL) {
         CertReqCtx* curr = ssl->certReqCtx;
@@ -9121,16 +9134,17 @@ static int DoVerifyCallback(WOLFSSL* ssl, int ret, ProcPeerCertArgs* args)
             XMEMSET(store->param, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM));
 
             /* Overwrite with non-default param values in SSL */
+            if (ssl->param) {
+                if (ssl->param->check_time)
+                    store->param->check_time = ssl->param->check_time;
 
-            if (ssl->param.check_time)
-                store->param->check_time = ssl->param.check_time;
+                if (ssl->param->flags)
+                    store->param->flags = ssl->param->flags;
 
-            if (ssl->param.flags)
-                store->param->flags = ssl->param.flags;
-
-            if (ssl->param.hostName[0])
-                XMEMCPY(store->param->hostName, ssl->param.hostName,
-                        WOLFSSL_HOST_NAME_MAX);
+                if (ssl->param->hostName[0])
+                    XMEMCPY(store->param->hostName, ssl->param->hostName,
+                            WOLFSSL_HOST_NAME_MAX);
+            }
          }
     #endif /* defined(OPENSSL_EXTRA) */
     #endif /* defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)*/
diff --git a/src/ssl.c b/src/ssl.c
index a63a016a6..33bc2166c 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -19766,7 +19766,7 @@ WOLFSSL_X509_VERIFY_PARAM* wolfSSL_get0_param(WOLFSSL* ssl)
     if (ssl == NULL) {
         return NULL;
     }
-    return &ssl->param;
+    return ssl->param;
 }
 
 #ifndef NO_WOLFSSL_STUB
diff --git a/wolfssl/internal.h b/wolfssl/internal.h
index 43039882c..05e8c08fc 100644
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -3739,7 +3739,7 @@ struct WOLFSSL {
     WOLFSSL_BIO*     biord;              /* socket bio read  to free/close */
     WOLFSSL_BIO*     biowr;              /* socket bio write to free/close */
     byte             sessionCtx[ID_LEN]; /* app session context ID */
-    WOLFSSL_X509_VERIFY_PARAM param;     /* verification parameters*/
+    WOLFSSL_X509_VERIFY_PARAM* param;    /* verification parameters*/
 #endif
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
     unsigned long    peerVerifyRet;