diff --git a/certs/test/gen-testcerts.sh b/certs/test/gen-testcerts.sh
index 634b62166..f07721c42 100755
--- a/certs/test/gen-testcerts.sh
+++ b/certs/test/gen-testcerts.sh
@@ -95,3 +95,9 @@ generate_test_cert server-badaltnull www.nomatch.com DER:30:0d:82:0b:6c:6f:63:61
 
 # Generate Bad Alt Name CN=www.nomatch.com, Alt=www.nomatch.com
 generate_test_cert server-badaltname www.nomatch.com www.nomatch.com
+
+# Generate Good Alt Name CN=localhost, Alt=localhost
+generate_test_cert server-localhost localhost localhost
+
+# Generate Bad Alt Name CN=localhost, Alt=garbage
+generate_test_cert server-garbage localhost garbage
diff --git a/certs/test/server-garbage.der b/certs/test/server-garbage.der
new file mode 100644
index 000000000..febc7b770
Binary files /dev/null and b/certs/test/server-garbage.der differ
diff --git a/certs/test/server-garbage.pem b/certs/test/server-garbage.pem
new file mode 100644
index 000000000..7ab2aaf5e
--- /dev/null
+++ b/certs/test/server-garbage.pem
@@ -0,0 +1,75 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            8e:d8:a3:08:c6:38:a1:db
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = localhost, emailAddress = info@wolfssl.com
+        Validity
+            Not Before: Jun 27 19:53:20 2018 GMT
+            Not After : Mar 23 19:53:20 2021 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = localhost, emailAddress = info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:c0:95:08:e1:57:41:f2:71:6d:b7:d2:45:41:27:
+                    01:65:c6:45:ae:f2:bc:24:30:b8:95:ce:2f:4e:d6:
+                    f6:1c:88:bc:7c:9f:fb:a8:67:7f:fe:5c:9c:51:75:
+                    f7:8a:ca:07:e7:35:2f:8f:e1:bd:7b:c0:2f:7c:ab:
+                    64:a8:17:fc:ca:5d:7b:ba:e0:21:e5:72:2e:6f:2e:
+                    86:d8:95:73:da:ac:1b:53:b9:5f:3f:d7:19:0d:25:
+                    4f:e1:63:63:51:8b:0b:64:3f:ad:43:b8:a5:1c:5c:
+                    34:b3:ae:00:a0:63:c5:f6:7f:0b:59:68:78:73:a6:
+                    8c:18:a9:02:6d:af:c3:19:01:2e:b8:10:e3:c6:cc:
+                    40:b4:69:a3:46:33:69:87:6e:c4:bb:17:a6:f3:e8:
+                    dd:ad:73:bc:7b:2f:21:b5:fd:66:51:0c:bd:54:b3:
+                    e1:6d:5f:1c:bc:23:73:d1:09:03:89:14:d2:10:b9:
+                    64:c3:2a:d0:a1:96:4a:bc:e1:d4:1a:5b:c7:a0:c0:
+                    c1:63:78:0f:44:37:30:32:96:80:32:23:95:a1:77:
+                    ba:13:d2:97:73:e2:5d:25:c9:6a:0d:c3:39:60:a4:
+                    b4:b0:69:42:42:09:e9:d8:08:bc:33:20:b3:58:22:
+                    a7:aa:eb:c4:e1:e6:61:83:c5:d2:96:df:d9:d0:4f:
+                    ad:d7
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                DNS:garbage
+    Signature Algorithm: sha256WithRSAEncryption
+         57:77:b9:a3:76:83:2a:f1:10:0c:64:02:0a:ad:99:86:55:28:
+         e4:c0:81:a2:a9:f2:af:6d:48:bd:a5:02:49:01:57:33:a8:85:
+         57:f6:65:8c:1a:01:7f:79:0f:af:18:d2:a4:df:03:14:48:40:
+         32:71:f8:44:15:b2:cd:53:d0:53:82:1f:cd:03:a5:68:f6:08:
+         9a:5a:a7:5e:4b:92:aa:dd:46:d4:2b:c1:81:83:df:75:3d:bc:
+         b2:64:43:9f:f1:d2:37:cc:b0:6e:75:b4:2c:9f:1c:1a:17:04:
+         0d:c1:80:a9:9b:64:c6:b4:aa:01:b2:5a:36:20:da:09:80:7f:
+         93:d7:51:be:aa:c1:58:56:f7:3b:0c:53:99:c3:74:99:64:0f:
+         e3:7d:4b:78:24:8e:08:76:15:85:15:30:42:6a:65:80:f5:2d:
+         a5:f4:d9:aa:42:12:5c:cd:68:c7:e7:b8:45:90:2c:dd:52:65:
+         ae:89:14:6e:5a:27:3c:10:05:ae:16:65:fc:04:12:66:07:13:
+         62:e6:a7:05:86:16:5a:7a:3d:9c:71:56:cf:a4:47:f5:7a:8a:
+         5a:bb:a3:d5:47:25:bd:c0:d2:ad:22:af:59:d6:d4:96:a9:b0:
+         05:f4:38:c7:56:46:19:d5:1b:30:9f:46:2e:a4:59:8b:72:e6:
+         a7:83:99:13
+-----BEGIN CERTIFICATE-----
+MIIDkTCCAnmgAwIBAgIJAI7YowjGOKHbMA0GCSqGSIb3DQEBCwUAMHwxCzAJBgNV
+BAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRQwEgYD
+VQQLDAtFbmdpbmVlcmluZzESMBAGA1UEAwwJbG9jYWxob3N0MR8wHQYJKoZIhvcN
+AQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTE4MDYyNzE5NTMyMFoXDTIxMDMyMzE5
+NTMyMFowfDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcM
+B0JvemVtYW4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMRIwEAYDVQQDDAlsb2NhbGhv
+c3QxHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDAlQjhV0HycW230kVBJwFlxkWu8rwkMLiVzi9O
+1vYciLx8n/uoZ3/+XJxRdfeKygfnNS+P4b17wC98q2SoF/zKXXu64CHlci5vLobY
+lXParBtTuV8/1xkNJU/hY2NRiwtkP61DuKUcXDSzrgCgY8X2fwtZaHhzpowYqQJt
+r8MZAS64EOPGzEC0aaNGM2mHbsS7F6bz6N2tc7x7LyG1/WZRDL1Us+FtXxy8I3PR
+CQOJFNIQuWTDKtChlkq84dQaW8egwMFjeA9ENzAyloAyI5Whd7oT0pdz4l0lyWoN
+wzlgpLSwaUJCCenYCLwzILNYIqeq68Th5mGDxdKW39nQT63XAgMBAAGjFjAUMBIG
+A1UdEQQLMAmCB2dhcmJhZ2UwDQYJKoZIhvcNAQELBQADggEBAFd3uaN2gyrxEAxk
+AgqtmYZVKOTAgaKp8q9tSL2lAkkBVzOohVf2ZYwaAX95D68Y0qTfAxRIQDJx+EQV
+ss1T0FOCH80DpWj2CJpap15LkqrdRtQrwYGD33U9vLJkQ5/x0jfMsG51tCyfHBoX
+BA3BgKmbZMa0qgGyWjYg2gmAf5PXUb6qwVhW9zsMU5nDdJlkD+N9S3gkjgh2FYUV
+MEJqZYD1LaX02apCElzNaMfnuEWQLN1SZa6JFG5aJzwQBa4WZfwEEmYHE2LmpwWG
+Flp6PZxxVs+kR/V6ilq7o9VHJb3A0q0ir1nW1JapsAX0OMdWRhnVGzCfRi6kWYty
+5qeDmRM=
+-----END CERTIFICATE-----
diff --git a/certs/test/server-localhost.der b/certs/test/server-localhost.der
new file mode 100644
index 000000000..22c278008
Binary files /dev/null and b/certs/test/server-localhost.der differ
diff --git a/certs/test/server-localhost.pem b/certs/test/server-localhost.pem
new file mode 100644
index 000000000..817e2fbdd
--- /dev/null
+++ b/certs/test/server-localhost.pem
@@ -0,0 +1,75 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            e3:7e:ef:46:4d:c8:a3:ab
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = localhost, emailAddress = info@wolfssl.com
+        Validity
+            Not Before: Jun 27 19:53:20 2018 GMT
+            Not After : Mar 23 19:53:20 2021 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = localhost, emailAddress = info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:c0:95:08:e1:57:41:f2:71:6d:b7:d2:45:41:27:
+                    01:65:c6:45:ae:f2:bc:24:30:b8:95:ce:2f:4e:d6:
+                    f6:1c:88:bc:7c:9f:fb:a8:67:7f:fe:5c:9c:51:75:
+                    f7:8a:ca:07:e7:35:2f:8f:e1:bd:7b:c0:2f:7c:ab:
+                    64:a8:17:fc:ca:5d:7b:ba:e0:21:e5:72:2e:6f:2e:
+                    86:d8:95:73:da:ac:1b:53:b9:5f:3f:d7:19:0d:25:
+                    4f:e1:63:63:51:8b:0b:64:3f:ad:43:b8:a5:1c:5c:
+                    34:b3:ae:00:a0:63:c5:f6:7f:0b:59:68:78:73:a6:
+                    8c:18:a9:02:6d:af:c3:19:01:2e:b8:10:e3:c6:cc:
+                    40:b4:69:a3:46:33:69:87:6e:c4:bb:17:a6:f3:e8:
+                    dd:ad:73:bc:7b:2f:21:b5:fd:66:51:0c:bd:54:b3:
+                    e1:6d:5f:1c:bc:23:73:d1:09:03:89:14:d2:10:b9:
+                    64:c3:2a:d0:a1:96:4a:bc:e1:d4:1a:5b:c7:a0:c0:
+                    c1:63:78:0f:44:37:30:32:96:80:32:23:95:a1:77:
+                    ba:13:d2:97:73:e2:5d:25:c9:6a:0d:c3:39:60:a4:
+                    b4:b0:69:42:42:09:e9:d8:08:bc:33:20:b3:58:22:
+                    a7:aa:eb:c4:e1:e6:61:83:c5:d2:96:df:d9:d0:4f:
+                    ad:d7
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                DNS:localhost
+    Signature Algorithm: sha256WithRSAEncryption
+         35:1a:72:99:61:c0:70:0b:5f:12:67:fa:74:f5:01:2b:d2:5a:
+         77:9f:90:dd:e4:2b:da:b7:dc:02:90:35:2d:41:ab:e3:db:a3:
+         69:12:00:e7:cc:71:6e:b1:81:9d:77:9b:2f:4f:0a:51:03:d7:
+         07:45:fe:61:7e:1f:fc:b6:59:49:39:0a:11:73:63:94:a6:3e:
+         a8:d4:ad:1d:93:fa:5f:cf:ef:fa:52:23:87:7b:d5:ba:56:94:
+         42:a3:05:61:b5:e5:ad:c2:d2:89:b2:0c:84:d1:30:d6:d7:5c:
+         2a:b7:29:f1:4d:b9:ca:7f:e1:4c:ff:ac:a9:1b:37:9d:40:fa:
+         cb:52:45:de:1d:29:ea:61:38:ac:cc:39:0d:46:ee:ff:89:0f:
+         ca:88:b8:f1:28:6c:2c:5f:6f:c1:27:50:e5:3a:21:be:63:07:
+         a7:b9:bc:89:18:f6:f2:a3:5d:56:56:18:32:ce:3d:a4:38:1e:
+         3f:72:3c:12:70:f7:83:74:44:ef:c9:69:fe:9d:ec:5c:e2:d4:
+         29:6f:73:df:18:43:18:91:a1:d7:dd:77:22:41:f2:f7:35:1d:
+         47:30:4b:3f:4e:ee:e0:5f:72:36:3a:c7:54:13:ba:0e:0f:e4:
+         0b:b4:e4:2e:fa:61:36:f5:4b:35:47:a8:06:49:fa:9b:5f:c2:
+         a2:91:85:d9
+-----BEGIN CERTIFICATE-----
+MIIDkzCCAnugAwIBAgIJAON+70ZNyKOrMA0GCSqGSIb3DQEBCwUAMHwxCzAJBgNV
+BAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRQwEgYD
+VQQLDAtFbmdpbmVlcmluZzESMBAGA1UEAwwJbG9jYWxob3N0MR8wHQYJKoZIhvcN
+AQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTE4MDYyNzE5NTMyMFoXDTIxMDMyMzE5
+NTMyMFowfDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcM
+B0JvemVtYW4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMRIwEAYDVQQDDAlsb2NhbGhv
+c3QxHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDAlQjhV0HycW230kVBJwFlxkWu8rwkMLiVzi9O
+1vYciLx8n/uoZ3/+XJxRdfeKygfnNS+P4b17wC98q2SoF/zKXXu64CHlci5vLobY
+lXParBtTuV8/1xkNJU/hY2NRiwtkP61DuKUcXDSzrgCgY8X2fwtZaHhzpowYqQJt
+r8MZAS64EOPGzEC0aaNGM2mHbsS7F6bz6N2tc7x7LyG1/WZRDL1Us+FtXxy8I3PR
+CQOJFNIQuWTDKtChlkq84dQaW8egwMFjeA9ENzAyloAyI5Whd7oT0pdz4l0lyWoN
+wzlgpLSwaUJCCenYCLwzILNYIqeq68Th5mGDxdKW39nQT63XAgMBAAGjGDAWMBQG
+A1UdEQQNMAuCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAQEANRpymWHAcAtf
+Emf6dPUBK9Jad5+Q3eQr2rfcApA1LUGr49ujaRIA58xxbrGBnXebL08KUQPXB0X+
+YX4f/LZZSTkKEXNjlKY+qNStHZP6X8/v+lIjh3vVulaUQqMFYbXlrcLSibIMhNEw
+1tdcKrcp8U25yn/hTP+sqRs3nUD6y1JF3h0p6mE4rMw5DUbu/4kPyoi48ShsLF9v
+wSdQ5TohvmMHp7m8iRj28qNdVlYYMs49pDgeP3I8EnD3g3RE78lp/p3sXOLUKW9z
+3xhDGJGh1913IkHy9zUdRzBLP07u4F9yNjrHVBO6Dg/kC7TkLvphNvVLNUeoBkn6
+m1/CopGF2Q==
+-----END CERTIFICATE-----
diff --git a/src/internal.c b/src/internal.c
index 8b7807152..391bf9ba7 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -9357,6 +9357,29 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                 }
 
                 if (!ssl->options.verifyNone && ssl->buffers.domainName.buffer) {
+                #ifndef WOLFSSL_ALLOW_NO_CN_IN_SAN
+                    /* Per RFC 5280 section 4.2.1.6, "Whenever such identities
+                     * are to be bound into a certificate, the subject
+                     * alternative name extension MUST be used." */
+                    if (args->dCert->altNames) {
+                        if (CheckAltNames(args->dCert,
+                                (char*)ssl->buffers.domainName.buffer) == 0 ) {
+                            WOLFSSL_MSG("DomainName match on alt names failed");
+                            /* try to get peer key still */
+                            ret = DOMAIN_NAME_MISMATCH;
+                        }
+                    }
+                    else {
+                        if (MatchDomainName(
+                                 args->dCert->subjectCN,
+                                 args->dCert->subjectCNLen,
+                                 (char*)ssl->buffers.domainName.buffer) == 0) {
+                            WOLFSSL_MSG("DomainName match on common name failed");
+                            ret = DOMAIN_NAME_MISMATCH;
+                        }
+                    }
+                #else /* WOLFSSL_ALL_NO_CN_IN_SAN */
+                    /* Old behavior. */
                     if (MatchDomainName(args->dCert->subjectCN,
                                 args->dCert->subjectCNLen,
                                 (char*)ssl->buffers.domainName.buffer) == 0) {
@@ -9369,6 +9392,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                             ret = DOMAIN_NAME_MISMATCH;
                         }
                     }
+                #endif /* WOLFSSL_ALL_NO_CN_IN_SAN */
                 }
 
                 /* decode peer key */
diff --git a/tests/test-fails.conf b/tests/test-fails.conf
index e9fda3021..e41fcd35e 100644
--- a/tests/test-fails.conf
+++ b/tests/test-fails.conf
@@ -94,3 +94,16 @@
 # client ECC bad sig error
 -v 3
 -l ECDHE-ECDSA-AES128-GCM-SHA256
+
+# server missing CN from alternate names list
+-v 3
+-l ECDHE-RSA-AES128-GCM-SHA256
+-c ./certs/test/server-garbage.pem
+
+# client missing CN from alternate names list
+-v 3
+-l ECDHE-RSA-AES128-GCM-SHA256
+-h localhost
+-A ./certs/test/server-garbage.pem
+-m
+
diff --git a/tests/test.conf b/tests/test.conf
index 2bee587ae..b1b8fe9fb 100644
--- a/tests/test.conf
+++ b/tests/test.conf
@@ -2306,3 +2306,15 @@
 -A ./certs/test/server-goodaltwild.pem
 -m
 -C
+
+# server CN in alternate names list
+-v 3
+-l ECDHE-RSA-AES128-GCM-SHA256
+-c ./certs/test/server-localhost.pem
+
+# client CN in alternate names list
+-v 3
+-l ECDHE-RSA-AES128-GCM-SHA256
+-h localhost
+-A ./certs/test/server-localhost.pem
+-m