diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 16241029c..d3ba9d136 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1098,35 +1098,6 @@ struct mbedtls_ssl_config
 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
 };
 
-/*
- * Getter functions for fields in mbedtls_ssl_config which may
- * be fixed at compile time via one of MBEDTLS_SSL_SSL_CONF_XXX.
- */
-
-#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
-static inline unsigned int mbedtls_ssl_conf_get_ems(
-    mbedtls_ssl_config const *conf )
-{
-#if !defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET)
-    return( conf->extended_ms );
-#else
-    ((void) conf);
-    return( MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET );
-#endif /* MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET */
-}
-
-static inline unsigned int mbedtls_ssl_conf_get_ems_enforced(
-    mbedtls_ssl_config const *conf )
-{
-#if !defined(MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET)
-    return( conf->enforce_extended_master_secret );
-#else
-    ((void) conf);
-    return( MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET );
-#endif /* MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET */
-}
-#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
-
 struct mbedtls_ssl_context
 {
     const mbedtls_ssl_config *conf; /*!< configuration information          */
diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index c9253bf9d..7009c4f8b 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -1079,4 +1079,34 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context *ssl,
                              mbedtls_ssl_transform *transform,
                              mbedtls_record *rec );
 
+
+/*
+ * Getter functions for fields in mbedtls_ssl_config which may
+ * be fixed at compile time via one of MBEDTLS_SSL_SSL_CONF_XXX.
+ */
+
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+static inline unsigned int mbedtls_ssl_conf_get_ems(
+    mbedtls_ssl_config const *conf )
+{
+#if !defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET)
+    return( conf->extended_ms );
+#else
+    ((void) conf);
+    return( MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET );
+#endif /* MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET */
+}
+
+static inline unsigned int mbedtls_ssl_conf_get_ems_enforced(
+    mbedtls_ssl_config const *conf )
+{
+#if !defined(MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET)
+    return( conf->enforce_extended_master_secret );
+#else
+    ((void) conf);
+    return( MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET );
+#endif /* MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET */
+}
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
+
 #endif /* ssl_internal.h */