diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index d2107a51fb..99f215ec1d 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -342,6 +342,7 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn, const char *host )
 	Sockbuf *sb = conn->lconn_sb;
 	int	err;
 	tls_session	*ssl = NULL;
+	char *sni = host;
 
 	if ( HAS_TLS( sb )) {
 		ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_SSL, (void *)&ssl );
@@ -376,7 +377,26 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn, const char *host )
 			lo->ldo_tls_connect_cb( ld, ssl, ctx, lo->ldo_tls_connect_arg );
 	}
 
-	err = tls_imp->ti_session_connect( ld, ssl, host );
+	/* pass hostname for SNI, but only if it's an actual name
+	 * and not a numeric address
+	 */
+	{
+		int numeric = 1;
+		char *c;
+		for ( c = sni; *c; c++ ) {
+			if ( *c == ':' )	/* IPv6 address */
+				break;
+			if ( *c == '.' )
+				continue;
+			if ( !isdigit( *c )) {
+				numeric = 0;
+				break;
+			}
+		}
+		if ( numeric )
+			sni = NULL;
+	}
+	err = tls_imp->ti_session_connect( ld, ssl, sni );
 
 #ifdef HAVE_WINSOCK
 	errno = WSAGetLastError();
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index a9b0f539e6..196134f6f4 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -530,7 +530,9 @@ tlso_session_connect( LDAP *ld, tls_session *sess, const char *name_in )
 	int rc;
 
 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
-	SSL_set_tlsext_host_name( s, name_in );
+	if ( name_in ) {
+		SSL_set_tlsext_host_name( s, name_in );
+	}
 #endif
 	/* Caller expects 0 = success, OpenSSL returns 1 = success */
 	rc = SSL_connect( s ) - 1;