Upon further re-reading of RFC4513 and RFC2818, I think the original behavior was correct. An IP address is only allowed to match an IP Address subjectAltName, it is not allowed to match the certificate CN. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/