diff --git a/libopenconnect.map.in b/libopenconnect.map.in
index 0cce284c..f8871462 100644
--- a/libopenconnect.map.in
+++ b/libopenconnect.map.in
@@ -44,6 +44,9 @@ OPENCONNECT_3.1 {
 	openconnect_setup_tun_fd;
 	openconnect_setup_dtls;
 	openconnect_make_cstp_connection;
+	openconnect_set_server_cert_sha1;
+	openconnect_get_ifname;
+	openconnect_set_reqmtu;
 } OPENCONNECT_3.0;
 
 OPENCONNECT_PRIVATE {
diff --git a/library.c b/library.c
index 67bd964f..611a9433 100644
--- a/library.c
+++ b/library.c
@@ -138,6 +138,8 @@ void openconnect_vpninfo_free(struct openconnect_info *vpninfo)
 	free(vpninfo->proxy_type);
 	free(vpninfo->proxy);
 	free(vpninfo->vpnc_script);
+	free(vpninfo->cafile);
+	free(vpninfo->servercert);
 	free(vpninfo->ifname);
 
 	if (vpninfo->csd_scriptname) {
@@ -156,7 +158,6 @@ void openconnect_vpninfo_free(struct openconnect_info *vpninfo)
 	/* These are const in openconnect itself, but for consistency of
 	   the library API we do take ownership of the strings we're given,
 	   and thus we have to free them too. */
-	free((void *)vpninfo->cafile);
 	if (vpninfo->cert != vpninfo->sslkey)
 		free((void *)vpninfo->sslkey);
 	free((void *)vpninfo->cert);
@@ -228,6 +229,21 @@ void openconnect_set_cafile(struct openconnect_info *vpninfo, char *cafile)
 	vpninfo->cafile = cafile;
 }
 
+void openconnect_set_server_cert_sha1(struct openconnect_info *vpninfo, char *servercert)
+{
+	vpninfo->servercert = servercert;
+}
+
+const char *openconnect_get_ifname(struct openconnect_info *vpninfo)
+{
+	return vpninfo->ifname;
+}
+
+void openconnect_set_reqmtu(struct openconnect_info *vpninfo, int reqmtu)
+{
+	vpninfo->reqmtu = reqmtu;
+}
+
 void openconnect_setup_csd(struct openconnect_info *vpninfo, uid_t uid, int silent, char *wrapper)
 {
 	vpninfo->uid_csd = uid;
diff --git a/main.c b/main.c
index eae3797a..36f48cd9 100644
--- a/main.c
+++ b/main.c
@@ -569,13 +569,13 @@ int main(int argc, char **argv)
 			/* The next option will come from the file... */
 			break;
 		case OPT_CAFILE:
-			vpninfo->cafile = keep_config_arg();
+			openconnect_set_cafile(vpninfo, xstrdup(config_arg));
 			break;
 		case OPT_PIDFILE:
 			pidfile = keep_config_arg();
 			break;
 		case OPT_SERVERCERT:
-			vpninfo->servercert = keep_config_arg();
+			openconnect_set_server_cert_sha1(vpninfo, xstrdup(config_arg));
 			break;
 		case OPT_NO_DTLS:
 			use_dtls = 0;
@@ -649,13 +649,15 @@ int main(int argc, char **argv)
 		case 'l':
 			use_syslog = 1;
 			break;
-		case 'm':
-			vpninfo->reqmtu = atol(config_arg);
-			if (vpninfo->reqmtu < 576) {
-				fprintf(stderr, _("MTU %d too small\n"), vpninfo->reqmtu);
-				vpninfo->reqmtu = 576;
+		case 'm': {
+			int mtu = atol(config_arg);
+			if (mtu < 576) {
+				fprintf(stderr, _("MTU %d too small\n"), mtu);
+				mtu = 576;
 			}
+			openconnect_set_reqmtu(vpninfo, mtu);
 			break;
+		}
 		case OPT_BASEMTU:
 			vpninfo->basemtu = atol(config_arg);
 			if (vpninfo->basemtu < 576) {
@@ -931,7 +933,7 @@ int main(int argc, char **argv)
 		fprintf(stderr, _("Set up DTLS failed; using SSL instead\n"));
 
 	vpn_progress(vpninfo, PRG_INFO,
-		     _("Connected %s as %s%s%s, using %s\n"), vpninfo->ifname,
+		     _("Connected %s as %s%s%s, using %s\n"), openconnect_get_ifname(vpninfo),
 		     vpninfo->vpn_addr?:"",
 		     (vpninfo->vpn_addr6 && vpninfo->vpn_addr) ? " + " : "",
 		     vpninfo->vpn_addr6 ? : "",
diff --git a/openconnect-internal.h b/openconnect-internal.h
index ccb98954..929c1b90 100644
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -169,8 +169,8 @@ struct openconnect_info {
 	const char *sslkey;
 	int cert_type;
 	char *cert_password;
-	const char *cafile;
-	const char *servercert;
+	char *cafile;
+	char *servercert;
 	const char *xmlconfig;
 	char xmlsha1[(SHA1_SIZE * 2) + 1];
 	char *authgroup;
diff --git a/openconnect.h b/openconnect.h
index 4b041ee5..cbb84c0f 100644
--- a/openconnect.h
+++ b/openconnect.h
@@ -226,6 +226,9 @@ void openconnect_set_cafile(struct openconnect_info *, char *);
 void openconnect_setup_csd(struct openconnect_info *, uid_t, int silent, char *wrapper);
 int openconnect_set_reported_os(struct openconnect_info *, const char *os);
 void openconnect_set_client_cert(struct openconnect_info *, char *cert, char *sslkey);
+void openconnect_set_server_cert_sha1(struct openconnect_info *, char *);
+const char *openconnect_get_ifname(struct openconnect_info *);
+void openconnect_set_reqmtu(struct openconnect_info *, int reqmtu);
 
 /* This is *not* yours and must not be destroyed with X509_free(). It
  * will be valid when a cookie has been obtained successfully, and will