diff --git a/components/esp-tls/esp_tls_mbedtls.c b/components/esp-tls/esp_tls_mbedtls.c
index 8a86251976..a2de60a954 100644
--- a/components/esp-tls/esp_tls_mbedtls.c
+++ b/components/esp-tls/esp_tls_mbedtls.c
@@ -666,6 +666,8 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t
             return ESP_ERR_MBEDTLS_SSL_SET_HOSTNAME_FAILED;
         }
         free(use_host);
+    } else {
+        mbedtls_ssl_set_hostname(&tls->ssl, NULL);
     }
 
     if ((ret = mbedtls_ssl_config_defaults(&tls->conf,
diff --git a/components/mbedtls/Kconfig b/components/mbedtls/Kconfig
index ca7874fc2c..d50d61eb9e 100644
--- a/components/mbedtls/Kconfig
+++ b/components/mbedtls/Kconfig
@@ -1084,4 +1084,11 @@ menu "mbedTLS"
             the flash footprint and hence care must be taken to keep some reserved space
             for the application binary in flash layout.
 
+    config MBEDTLS_ALLOW_WEAK_CERTIFICATE_VERIFICATION
+        bool "Allow weak certificate verification"
+        default n
+        help
+            This options allows weak certificate verification by skipping the hostname verification.
+            It is not recommended to use this option.
+
 endmenu  # mbedTLS
diff --git a/components/mbedtls/mbedtls b/components/mbedtls/mbedtls
index 98fcfd6d2c..601990b1d8 160000
--- a/components/mbedtls/mbedtls
+++ b/components/mbedtls/mbedtls
@@ -1 +1 @@
-Subproject commit 98fcfd6d2cea90d306e8fde8e5bffd6087c9cda8
+Subproject commit 601990b1d81510a135da9bb0476d6ed3cb8c011b
diff --git a/components/mbedtls/port/include/mbedtls/esp_config.h b/components/mbedtls/port/include/mbedtls/esp_config.h
index 6e98dc53a2..37fbd05ca3 100644
--- a/components/mbedtls/port/include/mbedtls/esp_config.h
+++ b/components/mbedtls/port/include/mbedtls/esp_config.h
@@ -2073,6 +2073,21 @@
  */
 #define MBEDTLS_ERROR_C
 
+/**
+ * \def MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
+ *
+ * Caller: library/ssl_tls.c
+ *
+ * Allow weak certificate verification without a hostname.
+ * This option is not recommended for production use.
+ */
+
+#if CONFIG_MBEDTLS_ALLOW_WEAK_CERTIFICATE_VERIFICATION
+#define MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
+#else
+#undef MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME
+#endif
+
 /**
  * \def MBEDTLS_GCM_C
  *
diff --git a/docs/en/api-reference/protocols/mbedtls.rst b/docs/en/api-reference/protocols/mbedtls.rst
index c9a513611a..ab9691b20a 100644
--- a/docs/en/api-reference/protocols/mbedtls.rst
+++ b/docs/en/api-reference/protocols/mbedtls.rst
@@ -94,3 +94,4 @@ Reducing Binary Size
 ^^^^^^^^^^^^^^^^^^^^
 
 Under ``Component Config -> mbedTLS``, there are multiple Mbed TLS features which are enabled by default but can be disabled if not needed to save code size. More information can be about this can be found in :ref:`Minimizing Binary Size <minimizing_binary_mbedtls>` docs.
+