diff --git a/include/ircd/net/open.h b/include/ircd/net/open.h
index 215210d62..3ad4f722a 100644
--- a/include/ircd/net/open.h
+++ b/include/ircd/net/open.h
@@ -44,6 +44,9 @@ namespace ircd::net
 /// with it.
 struct ircd::net::open_opts
 {
+	// Get the proper target CN from the options structure
+	friend string_view common_name(const open_opts &);
+
 	open_opts() = default;
 	open_opts(const net::ipport &ipport);
 	open_opts(const net::hostport &hostport);
@@ -115,3 +118,9 @@ ircd::net::open_opts::open_opts(const net::remote &remote)
 :hostport{remote.hostname}
 ,ipport{remote}
 {}
+
+inline ircd::string_view
+ircd::net::common_name(const open_opts &opts)
+{
+	return opts.common_name?: opts.hostport.host;
+}
diff --git a/ircd/net.cc b/ircd/net.cc
index 3f62e6afb..b20d2aba7 100644
--- a/ircd/net.cc
+++ b/ircd/net.cc
@@ -1158,7 +1158,7 @@ ircd::net::socket::handshake(const open_opts &opts,
 	log.debug("socket(%p) performing handshake with %s for '%s' for the next %ld$ms",
 	          this,
 	          string(remote()),
-	          opts.common_name,
+	          common_name(opts),
 	          opts.handshake_timeout.count());
 
 	auto handshake_handler
@@ -1608,17 +1608,12 @@ noexcept try
 	assert(vc.native_handle());
 	const auto &stctx{*vc.native_handle()};
 	const auto &cert{openssl::current_cert(stctx)};
-	const auto required_common_name
-	{
-		opts.common_name? opts.common_name : opts.hostport.host
-	};
-
-	const auto reject{[&stctx, &required_common_name]
+	const auto reject{[&stctx, &opts]
 	{
 		throw inauthentic
 		{
 			"%s #%ld: %s",
-			required_common_name,
+			common_name(opts),
 			openssl::get_error(stctx),
 			openssl::get_error_string(stctx)
 		};
@@ -1628,7 +1623,7 @@ noexcept try
 	{
 		char buf[256];
 		log.warning("verify: %s /CN=%s :%s",
-		            required_common_name,
+		            common_name(opts),
 		            openssl::subject_common_name(buf, cert),
 		            openssl::get_error_string(stctx));
 	}
@@ -1660,10 +1655,16 @@ noexcept try
 
 	if(opts.verify_common_name)
 	{
+		if(unlikely(empty(common_name(opts))))
+			throw inauthentic
+			{
+				"No common name specified in connection options"
+			};
+
 		//TODO: this object makes an std::string
 		boost::asio::ssl::rfc2818_verification verifier
 		{
-			std::string(required_common_name)
+			std::string(common_name(opts))
 		};
 
 		if(!verifier(true, vc))
@@ -1673,7 +1674,7 @@ noexcept try
 			{
 				"/CN=%s does not match target host %s :%s",
 				openssl::subject_common_name(buf, cert),
-				required_common_name,
+				common_name(opts),
 				openssl::get_error_string(stctx)
 			};
 		}