--- src/openssl.c
+++ src/openssl.c
@@ -481,6 +481,7 @@
 {
   X509 *cert;
   char common_name[256];
+  int len1, len2;
   long vresult;
   bool success = true;
 
@@ -562,9 +563,34 @@
        UTF-8 which can be meaningfully compared to HOST.  */
 
   common_name[0] = '\0';
-  X509_NAME_get_text_by_NID (X509_get_subject_name (cert),
-                             NID_commonName, common_name, sizeof (common_name));
-  if (!pattern_match (common_name, host))
+  len1 = X509_NAME_get_text_by_NID (X509_get_subject_name (cert),
+				    NID_commonName, NULL, 0);
+  len2 = X509_NAME_get_text_by_NID (X509_get_subject_name (cert),
+				    NID_commonName, common_name,
+				    sizeof(common_name));
+  if (len1 < 0 || len2 < 0)
+    {
+      logprintf (LOG_NOTQUIET, _("\
+%s: certificate has no common name.\n"),
+                 severity);
+      success = false;
+    }
+  if (len1 != len2)
+    {
+      logprintf (LOG_NOTQUIET, _("\
+%s: certificate common name is %d bytes long, maximum allowed is %d.\n"),
+                 severity, len1, sizeof(common_name)-1);
+      success = false;
+    }
+  else if (len2 != strlen(common_name))
+    {
+      logprintf (LOG_NOTQUIET, _("\
+%s: certificate common name contains a NULL character: '%s\\0%s'.\n"),
+                 severity, escnonprint (common_name),
+		 escnonprint (common_name + strlen(common_name)+1));
+      success = false;
+    }
+  else if (!pattern_match (common_name, host))
     {
       logprintf (LOG_NOTQUIET, _("\
 %s: certificate common name `%s' doesn't match requested host name `%s'.\n"),