diff --git a/lib/base/tlsstream.cpp b/lib/base/tlsstream.cpp
index a431199f8..f1248eee7 100644
--- a/lib/base/tlsstream.cpp
+++ b/lib/base/tlsstream.cpp
@@ -85,7 +85,7 @@ TlsStream::TlsStream(const Socket::Ptr& socket, const String& hostname, Connecti
 
 TlsStream::~TlsStream(void)
 {
-	Close();
+	CloseInternal(true);
 }
 
 int TlsStream::ValidateCertificate(int preverify_ok, X509_STORE_CTX *ctx)
@@ -321,10 +321,6 @@ void TlsStream::Shutdown(void)
  */
 void TlsStream::Close(void)
 {
-<<<<<<< HEAD
-	if (!m_Eof) {
-		m_Eof = true;
-=======
 	CloseInternal(false);
 }
 
@@ -336,15 +332,13 @@ void TlsStream::CloseInternal(bool inDestructor)
 	m_Eof = true;
 
 	if (!inDestructor)
->>>>>>> 2dc385e... Fix memory/thread leak in the HttpServerConnection class
 		SignalDataAvailable();
 
-	Stream::Close();
-
 	SocketEvents::Unregister();
 
-	boost::mutex::scoped_lock lock(m_Mutex);
+	Stream::Close();
 
+	boost::mutex::scoped_lock lock(m_Mutex);
 
 	if (!m_SSL)
 		return;
diff --git a/lib/base/tlsstream.hpp b/lib/base/tlsstream.hpp
index ff482fa1f..132f66784 100644
--- a/lib/base/tlsstream.hpp
+++ b/lib/base/tlsstream.hpp
@@ -99,6 +99,8 @@ private:
 
 	static int ValidateCertificate(int preverify_ok, X509_STORE_CTX *ctx);
 	static void NullCertificateDeleter(X509 *certificate);
+
+	void CloseInternal(bool inDestructor);
 };
 
 }
diff --git a/lib/remote/apilistener.cpp b/lib/remote/apilistener.cpp
index 77049f71d..08c9fa8ee 100644
--- a/lib/remote/apilistener.cpp
+++ b/lib/remote/apilistener.cpp
@@ -321,6 +321,12 @@ void ApiListener::NewClientHandlerInternal(const Socket::Ptr& client, const Stri
 			return;
 		}
 
+		if (!hostname.IsEmpty() && identity != hostname) {
+			Log(LogInformation, "ApiListener")
+			    << "Unexpected certificate common name while connecting to endpoint '" << hostname << "': got '" << identity << "'";
+			return;
+		}
+
 		verify_ok = tlsStream->IsVerifyOK();
 
 		Log(LogInformation, "ApiListener")