diff --git a/ChangeLog b/ChangeLog
index 8f9523e0c..e72579d4f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -25,6 +25,10 @@ Features
      verified and significantly faster, but is only supported on x86 platforms
      (32-bit and 64-bit) using GCC, Clang or Visual Studio. Contributed by
      Christoph Wintersteiger from Microsoft Research.
+   * Add mbedtls_net_close(), enabling the building of forking servers where
+     the parent process closes the client socket and continue accepting, and
+     the child process closes the listening socket and handles the client
+     socket. Contributed by Robert Larsen in #2803.
 
 API Changes
    * Add DER-encoded test CRTs to library/certs.c, allowing
@@ -67,6 +71,11 @@ Bugfix
    * Fix propagation of restart contexts in restartable EC operations.
      This could previously lead to segmentation faults in builds using an
      address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE.
+   * Fix memory leak in in mpi_miller_rabin(). Contributed by
+     Jens Wiklander <jens.wiklander@linaro.org> in #2363
+   * Improve code clarity in x509_crt module, removing false-positive
+     uninitialized variable warnings on some recent toolchains (GCC8, etc).
+     Discovered and fixed by Andy Gross (Linaro), #2392.
 
 Changes
    * Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821.
diff --git a/include/mbedtls/net_sockets.h b/include/mbedtls/net_sockets.h
index df42b450c..adb589ee9 100644
--- a/include/mbedtls/net_sockets.h
+++ b/include/mbedtls/net_sockets.h
@@ -257,6 +257,13 @@ int mbedtls_net_send( void *ctx, const unsigned char *buf, size_t len );
 int mbedtls_net_recv_timeout( void *ctx, unsigned char *buf, size_t len,
                       uint32_t timeout );
 
+/**
+ * \brief          Closes down the connection and free associated data
+ *
+ * \param ctx      The context to close
+ */
+void mbedtls_net_close( mbedtls_net_context *ctx );
+
 /**
  * \brief          Gracefully shutdown the connection and free associated data
  *
diff --git a/library/net_sockets.c b/library/net_sockets.c
index 5d538bfd5..c7b358d05 100644
--- a/library/net_sockets.c
+++ b/library/net_sockets.c
@@ -651,6 +651,19 @@ int mbedtls_net_send( void *ctx, const unsigned char *buf, size_t len )
     return( ret );
 }
 
+/*
+ * Close the connection
+ */
+void mbedtls_net_close( mbedtls_net_context *ctx )
+{
+    if( ctx->fd == -1 )
+        return;
+
+    close( ctx->fd );
+
+    ctx->fd = -1;
+}
+
 /*
  * Gracefully close the connection
  */
diff --git a/library/x509_crt.c b/library/x509_crt.c
index b2c19db68..48f244e2e 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -2611,15 +2611,13 @@ check_signature:
             continue;
         }
 
+        *r_parent = parent;
+        *r_signature_is_good = signature_is_good;
+
         break;
     }
 
-    if( parent != NULL )
-    {
-        *r_parent = parent;
-        *r_signature_is_good = signature_is_good;
-    }
-    else
+    if( parent == NULL )
     {
         *r_parent = fallback_parent;
         *r_signature_is_good = fallback_signature_is_good;
diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c
index 80407e49a..851bc0536 100644
--- a/programs/ssl/ssl_fork_server.c
+++ b/programs/ssl/ssl_fork_server.c
@@ -254,6 +254,7 @@ int main( void )
         if( pid != 0 )
         {
             mbedtls_printf( " ok\n" );
+            mbedtls_net_close( &client_fd );
 
             if( ( ret = mbedtls_ctr_drbg_reseed( &ctr_drbg,
                                          (const unsigned char *) "parent",
@@ -266,7 +267,7 @@ int main( void )
             continue;
         }
 
-        mbedtls_net_init( &listen_fd );
+        mbedtls_net_close( &listen_fd );
 
         pid = getpid();