diff --git a/boring/src/ssl/callbacks.rs b/boring/src/ssl/callbacks.rs
index e87b151f..1e7a64da 100644
--- a/boring/src/ssl/callbacks.rs
+++ b/boring/src/ssl/callbacks.rs
@@ -223,14 +223,13 @@ pub(super) unsafe extern "C" fn raw_select_cert<F>(
     client_hello: *const ffi::SSL_CLIENT_HELLO,
 ) -> ffi::ssl_select_cert_result_t
 where
-    F: Fn(&ClientHello) -> Result<(), SelectCertError> + Sync + Send + 'static,
+    F: Fn(ClientHello<'_>) -> Result<(), SelectCertError> + Sync + Send + 'static,
 {
     // SAFETY: boring provides valid inputs.
-    let client_hello = unsafe { &*(client_hello as *const ClientHello) };
+    let client_hello = ClientHello(unsafe { &*client_hello });
 
-    let callback = client_hello
-        .ssl()
-        .ssl_context()
+    let ssl_context = client_hello.ssl().ssl_context().to_owned();
+    let callback = ssl_context
         .ex_data(SslContext::cached_ex_index::<F>())
         .expect("BUG: select cert callback missing");
 
diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs
index c9cd6f6e..34925fb8 100644
--- a/boring/src/ssl/mod.rs
+++ b/boring/src/ssl/mod.rs
@@ -1370,6 +1370,7 @@ impl SslContextBuilder {
             );
         }
     }
+
     /// Sets a callback that is called before most ClientHello processing and before the decision whether
     /// to resume a session is made. The callback may inspect the ClientHello and configure the
     /// connection.
@@ -1379,7 +1380,7 @@ impl SslContextBuilder {
     /// [`SSL_CTX_set_select_certificate_cb`]: https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_select_certificate_cb.html
     pub fn set_select_certificate_callback<F>(&mut self, callback: F)
     where
-        F: Fn(&ClientHello) -> Result<(), SelectCertError> + Sync + Send + 'static,
+        F: Fn(ClientHello<'_>) -> Result<(), SelectCertError> + Sync + Send + 'static,
     {
         unsafe {
             self.set_ex_data(SslContext::cached_ex_index::<F>(), callback);
@@ -1959,9 +1960,9 @@ pub struct CipherBits {
 }
 
 #[repr(transparent)]
-pub struct ClientHello(ffi::SSL_CLIENT_HELLO);
+pub struct ClientHello<'ssl>(&'ssl ffi::SSL_CLIENT_HELLO);
 
-impl ClientHello {
+impl ClientHello<'_> {
     /// Returns the data of a given extension, if present.
     ///
     /// This corresponds to [`SSL_early_callback_ctx_extension_get`].
@@ -1972,7 +1973,7 @@ impl ClientHello {
             let mut ptr = ptr::null();
             let mut len = 0;
             let result =
-                ffi::SSL_early_callback_ctx_extension_get(&self.0, ext_type.0, &mut ptr, &mut len);
+                ffi::SSL_early_callback_ctx_extension_get(self.0, ext_type.0, &mut ptr, &mut len);
             if result == 0 {
                 return None;
             }
@@ -1980,7 +1981,11 @@ impl ClientHello {
         }
     }
 
-    fn ssl(&self) -> &SslRef {
+    pub fn ssl_mut(&mut self) -> &mut SslRef {
+        unsafe { SslRef::from_ptr_mut(self.0.ssl) }
+    }
+
+    pub fn ssl(&self) -> &SslRef {
         unsafe { SslRef::from_ptr(self.0.ssl) }
     }