diff --git a/ChangeLog.d/dtls-cid-null.txt b/ChangeLog.d/dtls-cid-null.txt
new file mode 100644
index 000000000..f6f4c5462
--- /dev/null
+++ b/ChangeLog.d/dtls-cid-null.txt
@@ -0,0 +1,5 @@
+Bugfix
+   * In configurations with MBEDTLS_SSL_DTLS_CONNECTION_ID enabled but none of
+     MBEDTLS_SSL_HW_RECORD_ACCEL, MBEDTLS_SSL_EXPORT_KEYS or MBEDTLS_DEBUG_C,
+     DTLS handshakes using CID would crash due to a null pointer dereference.
+     Fix this. Fixes #3998.
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index c85291e1e..4878585bb 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -990,6 +990,7 @@ static int ssl_populate_transform( mbedtls_ssl_transform *transform,
 
 #if !defined(MBEDTLS_SSL_HW_RECORD_ACCEL) && \
     !defined(MBEDTLS_SSL_EXPORT_KEYS) && \
+    !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
     !defined(MBEDTLS_DEBUG_C)
     ssl = NULL; /* make sure we don't use it except for those cases */
     (void) ssl;