diff --git a/src/internal.c b/src/internal.c
index c4840c6e6..200918c53 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -8746,7 +8746,6 @@ int CheckAltNames(DecodedCert* dCert, char* domain)
     return match;
 }
 
-
 #ifdef OPENSSL_EXTRA
 /* Check that alternative names, if they exists, match the domain.
  * Fail if there are wild patterns and they didn't match.
@@ -8818,6 +8817,13 @@ int CheckHostName(DecodedCert* dCert, char *domainName, size_t domainNameLen)
 
     return 0;
 }
+
+int CheckIPAddr(DecodedCert* dCert, char* ipasc)
+{
+    WOLFSSL_MSG("Checking IPAddr");
+
+    return CheckHostName(dCert, ipasc, (size_t)XSTRLEN(ipasc));
+}
 #endif
 
 #ifdef SESSION_CERTS
@@ -9357,6 +9363,14 @@ static int DoVerifyCallback(WOLFSSL* ssl, int ret, ProcPeerCertArgs* args)
             }
         }
     }
+
+    /* perform IP address check on the peer certificate */
+    if ((args->dCertInit != 0) && (args->dCert != NULL) &&
+        (ssl->param != NULL) && (XSTRLEN(ssl->param->ipasc) > 0)) {
+        if (CheckIPAddr(args->dCert, ssl->param->ipasc) == 0) {
+            return VERIFY_CERT_ERROR;
+        }
+    }
 #endif
     /* if verify callback has been set */
     if (use_cb && ssl->verifyCallback) {
diff --git a/src/ssl.c b/src/ssl.c
index 7cd12ae9f..786fd9c18 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -23006,8 +23006,13 @@ int wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(WOLFSSL_X509_VERIFY_PARAM *param,
     int ret = WOLFSSL_FAILURE;
 
     if (param != NULL) {
-        XSTRNCPY(param->ipasc, ipasc, WOLFSSL_MAX_IPSTR-1);
-        param->ipasc[WOLFSSL_MAX_IPSTR-1] = '\0';
+        if (ipasc == NULL) {
+            param->ipasc[0] = '\0';
+        }
+        else {
+            XSTRNCPY(param->ipasc, ipasc, WOLFSSL_MAX_IPSTR-1);
+            param->ipasc[WOLFSSL_MAX_IPSTR-1] = '\0';
+        }
         ret = WOLFSSL_SUCCESS;
     }
 
diff --git a/tests/api.c b/tests/api.c
index 5d05dd635..99dc72a2b 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -21920,6 +21920,9 @@ static void test_wolfSSL_X509_VERIFY_PARAM(void)
     AssertIntEQ(1, ret);
     AssertIntEQ(0, XSTRNCMP(param->ipasc, testIPv4, WOLFSSL_MAX_IPSTR));
 
+    ret = wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(param, NULL);
+    AssertIntEQ(1, ret);
+
     ret = wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(param, testIPv6);
     AssertIntEQ(1, ret);
     AssertIntEQ(0, XSTRNCMP(param->ipasc, testIPv6, WOLFSSL_MAX_IPSTR));
diff --git a/wolfssl/internal.h b/wolfssl/internal.h
index 383cfa404..0b72dfc27 100644
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -1666,6 +1666,9 @@ WOLFSSL_LOCAL int  ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
 WOLFSSL_LOCAL int  MatchDomainName(const char* pattern, int len, const char* str);
 #ifndef NO_CERTS
 WOLFSSL_LOCAL int  CheckAltNames(DecodedCert* dCert, char* domain);
+#ifdef OPENSSL_EXTRA
+WOLFSSL_LOCAL int  CheckIPAddr(DecodedCert* dCert, char* ipasc);
+#endif
 #endif
 WOLFSSL_LOCAL int  CreateTicket(WOLFSSL* ssl);
 WOLFSSL_LOCAL int  HashOutputRaw(WOLFSSL* ssl, const byte* output, int sz);