diff --git a/src/internal.c b/src/internal.c
index 3db8aca8c..86c20fd15 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -42028,12 +42028,17 @@ static int DoAppleNativeCertValidation(WOLFSSL*                   ssl,
             kCFAllocatorDefault, (const char*)ssl->buffers.domainName.buffer,
             kCFStringEncodingUTF8);
     }
-    if (hostname != NULL) {
-        policy = SecPolicyCreateSSL(true, hostname);
-    }
-    else {
-        policy = SecPolicyCreateSSL(true, NULL);
+
+    /* If we're the client, we're validating the server's cert - use server
+     * policy (true). If we're the server, we're validating the client's cert -
+     * use client policy (false). Hostname validation only applies to server
+     * certs. */
+    {
+        int isServerCert = (ssl->options.side == WOLFSSL_CLIENT_END);
+        policy = SecPolicyCreateSSL(isServerCert,
+                                    isServerCert ? hostname : NULL);
     }
+
     status = SecTrustCreateWithCertificates(certArray, policy, &trust);
     if (status != errSecSuccess) {
         WOLFSSL_MSG_EX("Error creating trust object, "