diff --git a/mitmproxy/connections.py b/mitmproxy/connections.py
index a32889bd5..f914c7d27 100644
--- a/mitmproxy/connections.py
+++ b/mitmproxy/connections.py
@@ -17,6 +17,7 @@ class ClientConnection(tcp.BaseHandler, stateobject.StateObject):
         address: Remote address
         ssl_established: True if TLS is established, False otherwise
         clientcert: The TLS client certificate
+        mitmcert: The MITM'ed TLS server certificate presented to the client
         timestamp_start: Connection start timestamp
         timestamp_ssl_setup: TLS established timestamp
         timestamp_end: Connection end timestamp
@@ -40,6 +41,7 @@ class ClientConnection(tcp.BaseHandler, stateobject.StateObject):
             self.clientcert = None
             self.ssl_established = None
 
+        self.mitmcert = None
         self.timestamp_start = time.time()
         self.timestamp_end = None
         self.timestamp_ssl_setup = None
@@ -72,6 +74,7 @@ class ClientConnection(tcp.BaseHandler, stateobject.StateObject):
         address=tcp.Address,
         ssl_established=bool,
         clientcert=certs.SSLCert,
+        mitmcert=certs.SSLCert,
         timestamp_start=float,
         timestamp_ssl_setup=float,
         timestamp_end=float,
@@ -98,6 +101,7 @@ class ClientConnection(tcp.BaseHandler, stateobject.StateObject):
         return cls.from_state(dict(
             address=dict(address=address, use_ipv6=False),
             clientcert=None,
+            mitmcert=None,
             ssl_established=False,
             timestamp_start=None,
             timestamp_end=None,
@@ -108,9 +112,10 @@ class ClientConnection(tcp.BaseHandler, stateobject.StateObject):
             tls_version=None,
         ))
 
-    def convert_to_ssl(self, *args, **kwargs):
-        super().convert_to_ssl(*args, **kwargs)
+    def convert_to_ssl(self, cert, *args, **kwargs):
+        super().convert_to_ssl(cert, *args, **kwargs)
         self.timestamp_ssl_setup = time.time()
+        self.mitmcert = cert
         sni = self.connection.get_servername()
         if sni:
             self.sni = sni.decode("idna")
diff --git a/mitmproxy/io_compat.py b/mitmproxy/io_compat.py
index 8f89b86e9..c12d2098d 100644
--- a/mitmproxy/io_compat.py
+++ b/mitmproxy/io_compat.py
@@ -93,6 +93,7 @@ def convert_100_200(data):
 
 def convert_200_300(data):
     data["version"] = (3, 0, 0)
+    data["client_conn"]["mitmcert"] = None
     return data
 
 
diff --git a/mitmproxy/test/tflow.py b/mitmproxy/test/tflow.py
index 6d3308407..ea7be4b95 100644
--- a/mitmproxy/test/tflow.py
+++ b/mitmproxy/test/tflow.py
@@ -144,6 +144,7 @@ def tclient_conn():
     c = connections.ClientConnection.from_state(dict(
         address=dict(address=("address", 22), use_ipv6=True),
         clientcert=None,
+        mitmcert=None,
         ssl_established=False,
         timestamp_start=1,
         timestamp_ssl_setup=2,