diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index c6a80d30c2..06b166b7fd 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -650,7 +650,14 @@ pgtls_verify_peer_name_matches_certificate_guts(PGconn *conn,
 			}
 
 			if (rc != 0)
+			{
+				/*
+				 * Either we hit an error or a match, and either way we should
+				 * not fall back to the CN.
+				 */
+				check_cn = false;
 				break;
+			}
 		}
 		sk_GENERAL_NAME_pop_free(peer_san, GENERAL_NAME_free);
 	}
@@ -663,7 +670,7 @@ pgtls_verify_peer_name_matches_certificate_guts(PGconn *conn,
 	 * dNSName is present, the CN must be ignored. We break this rule if host is
 	 * an IP address; see the comment above.)
 	 */
-	if ((rc == 0) && check_cn)
+	if (check_cn)
 	{
 		X509_NAME  *subject_name;