diff --git a/lib/mbedtls_wrapper/include/openssl/ssl.h b/lib/mbedtls_wrapper/include/openssl/ssl.h
index d9f8b4c9..9afa0628 100755
--- a/lib/mbedtls_wrapper/include/openssl/ssl.h
+++ b/lib/mbedtls_wrapper/include/openssl/ssl.h
@@ -1522,6 +1522,20 @@ int SSL_get_verify_mode(const SSL *ssl);
  */
 X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl);
 
+/**
+ * @brief set expected hostname the peer cert CN should have
+ *
+ * @param param - verify parameters from SSL_get0_param()
+ *
+ * @param name - the expected hostname
+ *
+ * @param namelen - the length of the hostname, or 0 if NUL terminated
+ *
+ * @return verify parameters
+ */
+int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
+                                const char *name, size_t namelen);
+
 /**
  * @brief get SSL write only IO handle
  *
diff --git a/lib/mbedtls_wrapper/platform/ssl_pm.c b/lib/mbedtls_wrapper/platform/ssl_pm.c
index 54319d25..3350180b 100755
--- a/lib/mbedtls_wrapper/platform/ssl_pm.c
+++ b/lib/mbedtls_wrapper/platform/ssl_pm.c
@@ -659,3 +659,31 @@ long ssl_pm_get_verify_result(const SSL *ssl)
 
     return verify_result;
 }
+
+/**
+ * @brief set expected hostname on peer cert CN
+ */
+
+int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
+                                const char *name, size_t namelen)
+{
+	SSL *ssl = (SSL *)((char *)param - offsetof(SSL, param));
+	struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
+	char *name_cstr;
+
+	if (namelen) {
+		name_cstr = malloc(namelen + 1);
+		if (!name_cstr)
+			return 0;
+		memcpy(name_cstr, name, namelen);
+		name_cstr[namelen] = '\0';
+		name = name_cstr;
+	}
+
+	mbedtls_ssl_set_hostname(&ssl_pm->ssl, name);
+
+	if (namelen)
+		free(name_cstr);
+
+	return 1;
+}