diff --git a/certs/test/gen-badaltnamenull.sh b/certs/test/gen-testcerts.sh
similarity index 50%
rename from certs/test/gen-badaltnamenull.sh
rename to certs/test/gen-testcerts.sh
index 8ca9d8c7a..f51942597 100755
--- a/certs/test/gen-badaltnamenull.sh
+++ b/certs/test/gen-testcerts.sh
@@ -1,5 +1,6 @@
 #!/bin/sh
 
+# Generate CN=localhost, AltName=localhost\0h
 echo "step 1 create key"
 openssl genrsa -out server-badaltnamenull.key 2048
 
@@ -18,3 +19,25 @@ openssl x509 -inform pem -in server-badaltnamenull.pem -text > tmp.pem
 mv tmp.pem server-badaltnamenull.pem
 
 openssl x509 -inform pem -in server-badaltnamenull.pem -outform der -out server-badaltnamenull.der
+
+
+# Generate CN=www.nomatch.com, no AltName
+echo "step 1 create key"
+openssl genrsa -out server-nomatch.key 2048
+
+echo "step 2 create csr"
+echo "US\nMontana\nBozeman\nEngineering\nwww.nomatch.com\n.\n" | openssl req -new -sha256 -out server-nomatch.csr -key server-nomatch.key -config server-nomatch.conf
+
+echo "step 3 check csr"
+openssl req -text -noout -in server-nomatch.csr
+
+echo "step 4 create cert"
+openssl x509 -req -days 1000 -in server-nomatch.csr -signkey server-nomatch.key \
+             -out server-nomatch.pem -extensions req_ext -extfile server-nomatch.conf
+
+echo "step 5 make human reviewable"
+openssl x509 -inform pem -in server-nomatch.pem -text > tmp.pem
+mv tmp.pem server-nomatch.pem
+
+openssl x509 -inform pem -in server-nomatch.pem -outform der -out server-nomatch.der
+
diff --git a/certs/test/include.am b/certs/test/include.am
index 6b9d07d72..f62e97084 100644
--- a/certs/test/include.am
+++ b/certs/test/include.am
@@ -3,26 +3,30 @@
 #
 
 EXTRA_DIST += \
-	     certs/test/cert-ext-ia.cfg \
-	     certs/test/cert-ext-ia.der \
-	     certs/test/cert-ext-nc.cfg \
-	     certs/test/cert-ext-nc.der \
-	     certs/test/cert-ext-ns.der \
-	     certs/test/gen-ext-certs.sh \
+         certs/test/cert-ext-ia.cfg \
+         certs/test/cert-ext-ia.der \
+         certs/test/cert-ext-nc.cfg \
+         certs/test/cert-ext-nc.der \
+         certs/test/cert-ext-ns.der \
+         certs/test/gen-ext-certs.sh \
          certs/test/server-duplicate-policy.pem
 
 # The certs/server-cert with the last byte (signature byte) changed
 EXTRA_DIST += \
          certs/test/server-cert-rsa-badsig.der \
          certs/test/server-cert-rsa-badsig.pem \
-		 certs/test/server-cert-ecc-badsig.der \
+         certs/test/server-cert-ecc-badsig.der \
          certs/test/server-cert-ecc-badsig.pem
 
-
 EXTRA_DIST += \
-		 certs/test/gen-badaltnamenull.sh \
+         certs/test/gen-testcerts.sh \
          certs/test/server-badaltnamenull.conf \
          certs/test/server-badaltnamenull.csr \
          certs/test/server-badaltnamenull.key \
          certs/test/server-badaltnamenull.pem \
-         certs/test/server-badaltnamenull.der
+         certs/test/server-badaltnamenull.der \
+         certs/test/server-nomatch.conf \
+         certs/test/server-nomatch.csr \
+         certs/test/server-nomatch.key \
+         certs/test/server-nomatch.pem \
+         certs/test/server-nomatch.der
diff --git a/certs/test/server-nomatch.conf b/certs/test/server-nomatch.conf
new file mode 100644
index 000000000..b53010c37
--- /dev/null
+++ b/certs/test/server-nomatch.conf
@@ -0,0 +1,16 @@
+[ req ]
+default_bits       = 2048
+distinguished_name = req_distinguished_name
+req_extensions     = req_ext
+
+[ req_distinguished_name ]
+countryName                 = US
+stateOrProvinceName         = Montana
+localityName                = Bozeman
+organizationName            = Engineering
+commonName                  = www.nomatch.com
+commonName_max              = 64
+
+[ req_ext ]
+#subjectAltName   = localhost\0h
+#subjectAltName    = DER:30:0d:82:0b:6c:6f:63:61:6c:68:6f:73:74:00:68
diff --git a/certs/test/server-nomatch.csr b/certs/test/server-nomatch.csr
new file mode 100644
index 000000000..5fdc8f777
--- /dev/null
+++ b/certs/test/server-nomatch.csr
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICtDCCAZwCAQAwYDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAO
+BgNVBAcMB0JvemVtYW4xFDASBgNVBAoMC0VuZ2luZWVyaW5nMRcwFQYDVQQDDA53
+d3cubm9uYW1lLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ1B
+JYwNWaXJdfnKJAz61T0m1w6xMGxELhZWjDks49zn98lW8E8wMZtCoguE1feuu9pF
+6yGnfRmK2J+4QjeWVejmMqt8SQyJpW8nWCvRpFVha0RFbmT60nuvKMRX68Lku6iU
+Vav2KHU+cz4yBj1m9QO6AqzJWQWiLY5t25OBq+EkhWUd9I39rGmF8ba1Bnpus27U
+tqRVJ8cmEwnNPc8ihvcN8RsrYdnQNyYIiIUdJIA2iduDE7PeOSY3jT9mtmeWQOHp
+l91xh/RGbJWNpLBd66TkreLTnz4zmQMMTzZGj1pdv9B3UFc6mIMNWmLsERRhiOMO
+hiaFfEJwFJZBN9PaXYsCAwEAAaAPMA0GCSqGSIb3DQEJDjEAMA0GCSqGSIb3DQEB
+CwUAA4IBAQCA0S++HN0qb94u8setTM5akJjpM1b2o4rcrQluFKMel8mMip9hinvG
+sPkJL1KB28/O9TcdmMX57zfXBsumxLSpjzmjIqri7fVabcu/kybE2wdNNvM+9ZzT
+pNbYhWEhsCS8XAegiApx/JVszmH77GLExuVAY2XqxA7Cy2Ia/qyiR6v0agMd6I4z
+T7nlJHBckOOEdJ6cjqy67vqWy+BKwCK/kRnOJuirIeJ+SechS4tXuRrVni0pkDuK
+xQ2uHQjpzFR40U6pFGgwZcdR1bvLCWOlC7efS4ayIETZzhOuXTZa4qQ5/IcCyM+N
+scJS5z+YQpQMgOs5jj5DWYLUtMs63UmQ
+-----END CERTIFICATE REQUEST-----
diff --git a/certs/test/server-nomatch.der b/certs/test/server-nomatch.der
new file mode 100644
index 000000000..0dcf502a0
Binary files /dev/null and b/certs/test/server-nomatch.der differ
diff --git a/certs/test/server-nomatch.key b/certs/test/server-nomatch.key
new file mode 100644
index 000000000..182b27380
--- /dev/null
+++ b/certs/test/server-nomatch.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAnUEljA1Zpcl1+cokDPrVPSbXDrEwbEQuFlaMOSzj3Of3yVbw
+TzAxm0KiC4TV96672kXrIad9GYrYn7hCN5ZV6OYyq3xJDImlbydYK9GkVWFrREVu
+ZPrSe68oxFfrwuS7qJRVq/YodT5zPjIGPWb1A7oCrMlZBaItjm3bk4Gr4SSFZR30
+jf2saYXxtrUGem6zbtS2pFUnxyYTCc09zyKG9w3xGyth2dA3JgiIhR0kgDaJ24MT
+s945JjeNP2a2Z5ZA4emX3XGH9EZslY2ksF3rpOSt4tOfPjOZAwxPNkaPWl2/0HdQ
+VzqYgw1aYuwRFGGI4w6GJoV8QnAUlkE309pdiwIDAQABAoIBAQCKxhIHfUSOvLHj
+JRMZbUY/OAZzTcTo1mZBilEmp8nSidculA1wJJyyYmQ0fB6C/G2E20z8Hx2UK+at
+VOMCwSXBaVxv3zdr3BDlfbgeu1wliNornoYkkQCs68+zLc+95zMAOx87qPjdNqZm
+zaiaCUDR8BYqO2nXQd6oIaSzkKyI+tqTO9zW4NG8Y5zv0waKCjPK9Ep/kze9uC4S
+WIp2eYhUb+x60dECDBGI9xvlgeZyP5PMCfCyaZk3CxnLsR4tI9R5WwDgMcjCShJk
+3+kHyrtNU8ak2TrfUoh96arHu0HMLFJaJSdxYT9FUSKhKu+fWMn1J36AkxdqntAw
+6HATVD4ZAoGBAM0DCqI5BKvmPWdO587+fpPAa76iqQDqqkaAQ94xcGtTYA0yEfbA
+V4JFfsCEFm7evteMmJgmDyNNVvnSi/LQhL+ih40Q0LKREYzBiMy3aothQZAYb+Ex
+fVllfZhIaWI8q/DoeZ7qohRHFGBA/znav6vls3kE3jRWx0O30eq9cX1tAoGBAMRd
+bQNcp2mCm+fe//s5GKXm4ak4zeo077fUCxJly4DE5e2+IGrP+JYwVrJsMuFu/3C1
+/6+qCgLS+/08BMQ+e6xmTDJrRXtk9KmDI38tEoqzH8tkAgSTxby771/5uNr7hbgX
+LtCCIsxhwSAML0b7M2I8xmEfL3Dmu1q7/GEDAMPXAoGABd/ucBOeNKbWX519OwtD
+6Uv8Smwy15nh4z9NspJMHGc5O2eR6DY+y7beGPowAmFTqq2WudVtXZ+bvHDyHbUn
++K3ZoIs4z8UkcZoiJ2uiG/hffpeUrSlT5DnqTXDVxEDk1HR0977Vgis/RDrYlXnV
+QEHG0NL44xsRfrlHxKhFFkkCgYB1HsgzliLgQp+c2BxUCkUSRrhXx2LCC5rjSRzl
+d0O+5THC8IDDVJIPentrZi+e2CaRYmxDqSbZcmAMNa0eI6p+NHHELMk/hQKMzIPy
+ib6ibZ5MILU3Z7AsFuf6labVLeoe1+z7PnNk9fVLmRjlvFR0ho1IRmJ0c5pRzwgE
+ENd29wKBgA5WnuCBKF9Kv8H9E1hAuAGXwBxmw9PVeWB63/TAernlOQhF47ra9ExH
+GtkZv9D/2tNJaoft1YQ1yhBn7l7rW+vfQYXAOW4yRg0FSOOgefBwN/eTOXVRU9Zg
+9LBwnQlvimQUm0GrxLLAseDqFMn/a3x/KxftvF95JGx/1Lscukdz
+-----END RSA PRIVATE KEY-----
diff --git a/certs/test/server-nomatch.pem b/certs/test/server-nomatch.pem
new file mode 100644
index 000000000..a1753cbf3
--- /dev/null
+++ b/certs/test/server-nomatch.pem
@@ -0,0 +1,69 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 13225619248861184800 (0xb78ad6a26ef08320)
+    Signature Algorithm: sha1WithRSAEncryption
+        Issuer: C=US, ST=Montana, L=Bozeman, O=Engineering, CN=www.noname.com
+        Validity
+            Not Before: May 24 21:25:38 2018 GMT
+            Not After : Feb 17 21:25:38 2021 GMT
+        Subject: C=US, ST=Montana, L=Bozeman, O=Engineering, CN=www.noname.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:9d:41:25:8c:0d:59:a5:c9:75:f9:ca:24:0c:fa:
+                    d5:3d:26:d7:0e:b1:30:6c:44:2e:16:56:8c:39:2c:
+                    e3:dc:e7:f7:c9:56:f0:4f:30:31:9b:42:a2:0b:84:
+                    d5:f7:ae:bb:da:45:eb:21:a7:7d:19:8a:d8:9f:b8:
+                    42:37:96:55:e8:e6:32:ab:7c:49:0c:89:a5:6f:27:
+                    58:2b:d1:a4:55:61:6b:44:45:6e:64:fa:d2:7b:af:
+                    28:c4:57:eb:c2:e4:bb:a8:94:55:ab:f6:28:75:3e:
+                    73:3e:32:06:3d:66:f5:03:ba:02:ac:c9:59:05:a2:
+                    2d:8e:6d:db:93:81:ab:e1:24:85:65:1d:f4:8d:fd:
+                    ac:69:85:f1:b6:b5:06:7a:6e:b3:6e:d4:b6:a4:55:
+                    27:c7:26:13:09:cd:3d:cf:22:86:f7:0d:f1:1b:2b:
+                    61:d9:d0:37:26:08:88:85:1d:24:80:36:89:db:83:
+                    13:b3:de:39:26:37:8d:3f:66:b6:67:96:40:e1:e9:
+                    97:dd:71:87:f4:46:6c:95:8d:a4:b0:5d:eb:a4:e4:
+                    ad:e2:d3:9f:3e:33:99:03:0c:4f:36:46:8f:5a:5d:
+                    bf:d0:77:50:57:3a:98:83:0d:5a:62:ec:11:14:61:
+                    88:e3:0e:86:26:85:7c:42:70:14:96:41:37:d3:da:
+                    5d:8b
+                Exponent: 65537 (0x10001)
+    Signature Algorithm: sha1WithRSAEncryption
+         6d:df:c3:7a:74:32:b6:ba:f5:2c:87:93:6c:64:7c:b9:5f:6e:
+         79:f3:e7:b2:6a:58:c6:8d:20:9a:f6:46:b1:60:f9:59:59:6f:
+         22:32:e3:f8:5c:a2:2d:53:84:48:b9:68:6d:2e:59:03:c1:e4:
+         ad:5b:ce:91:6e:13:bd:5c:71:2a:69:d8:7d:a8:07:cf:6f:83:
+         0c:05:cf:d4:39:7f:10:3d:35:98:1c:f9:77:26:53:d5:81:f1:
+         6a:0b:ca:fb:86:f9:6d:bb:92:b9:e0:57:a2:3b:43:14:cc:e0:
+         75:27:10:c2:50:1d:91:ca:af:f8:36:88:cc:5d:1d:37:77:fe:
+         1d:ea:b3:d9:94:b6:e4:b1:a7:29:2b:e4:1e:c7:f6:65:1d:59:
+         d7:e2:2d:01:d2:08:a1:72:a0:b2:f1:3f:9c:fd:27:f9:46:85:
+         e3:05:a5:34:b0:a6:6c:44:f0:42:16:32:71:2f:cd:82:c2:33:
+         05:0a:3c:3c:e7:87:17:d7:1f:a9:4e:83:c2:1e:46:a5:0f:7a:
+         c2:98:f7:98:a1:75:b8:72:26:d9:1b:65:24:f0:f3:d7:2c:9c:
+         cf:a6:88:c4:8c:56:00:87:16:be:49:28:91:a0:bc:c7:9f:e3:
+         02:35:fb:0b:39:e3:c0:f9:f3:ed:bb:7d:2e:4c:09:7a:88:53:
+         b1:16:5c:b4
+-----BEGIN CERTIFICATE-----
+MIIDQTCCAimgAwIBAgIJALeK1qJu8IMgMA0GCSqGSIb3DQEBBQUAMGAxCzAJBgNV
+BAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRQwEgYD
+VQQKDAtFbmdpbmVlcmluZzEXMBUGA1UEAwwOd3d3Lm5vbmFtZS5jb20wHhcNMTgw
+NTI0MjEyNTM4WhcNMjEwMjE3MjEyNTM4WjBgMQswCQYDVQQGEwJVUzEQMA4GA1UE
+CAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEUMBIGA1UECgwLRW5naW5lZXJp
+bmcxFzAVBgNVBAMMDnd3dy5ub25hbWUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAnUEljA1Zpcl1+cokDPrVPSbXDrEwbEQuFlaMOSzj3Of3yVbw
+TzAxm0KiC4TV96672kXrIad9GYrYn7hCN5ZV6OYyq3xJDImlbydYK9GkVWFrREVu
+ZPrSe68oxFfrwuS7qJRVq/YodT5zPjIGPWb1A7oCrMlZBaItjm3bk4Gr4SSFZR30
+jf2saYXxtrUGem6zbtS2pFUnxyYTCc09zyKG9w3xGyth2dA3JgiIhR0kgDaJ24MT
+s945JjeNP2a2Z5ZA4emX3XGH9EZslY2ksF3rpOSt4tOfPjOZAwxPNkaPWl2/0HdQ
+VzqYgw1aYuwRFGGI4w6GJoV8QnAUlkE309pdiwIDAQABMA0GCSqGSIb3DQEBBQUA
+A4IBAQBt38N6dDK2uvUsh5NsZHy5X2558+eyaljGjSCa9kaxYPlZWW8iMuP4XKIt
+U4RIuWhtLlkDweStW86RbhO9XHEqadh9qAfPb4MMBc/UOX8QPTWYHPl3JlPVgfFq
+C8r7hvltu5K54FeiO0MUzOB1JxDCUB2Ryq/4NojMXR03d/4d6rPZlLbksacpK+Qe
+x/ZlHVnX4i0B0gihcqCy8T+c/Sf5RoXjBaU0sKZsRPBCFjJxL82CwjMFCjw854cX
+1x+pToPCHkalD3rCmPeYoXW4cibZG2Uk8PPXLJzPpojEjFYAhxa+SSiRoLzHn+MC
+NfsLOePA+fPtu30uTAl6iFOxFly0
+-----END CERTIFICATE-----
diff --git a/tests/test-fails.conf b/tests/test-fails.conf
index 3c78cc038..32fd0c0e1 100644
--- a/tests/test-fails.conf
+++ b/tests/test-fails.conf
@@ -13,6 +13,21 @@
 -m
 -x
 
+# server nomatch common name
+-v 3
+-l ECDHE-RSA-AES128-GCM-SHA256
+-k ./certs/test/server-nomatch.key
+-c ./certs/test/server-nomatch.pem
+-d
+
+# client nomatch common name
+-v 3
+-l ECDHE-RSA-AES128-GCM-SHA256
+-h localhost
+-A ./certs/test/server-nomatch.pem
+-m
+-x
+
 # server RSA no signer error
 -v 3
 -l ECDHE-RSA-AES128-GCM-SHA256