diff --git a/doc/Changelog b/doc/Changelog
index c4c1e1864..a1c853897 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+10 July 2018: Wouter
+	- Note in documentation that the cert name match code needs
+	  OpenSSL 1.1.0 or later to be enabled.
+
 6 July 2018: Wouter
 	- Fix documentation ambiguity for tls-win-cert in tls-upstream and
 	  forward-tls-upstream docs.
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index c3a4c14c1..4698c38e9 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -1504,6 +1504,7 @@ the '@' and '#', the '@' comes first.
 At high verbosity it logs the TLS certificate, with TLS enabled.
 If you leave out the '#' and auth name from the forward\-addr, any
 name is accepted.  The cert must also match a CA from the tls\-cert\-bundle.
+The cert name match code needs OpenSSL 1.1.0 or later to be enabled.
 .TP
 .B forward\-first: \fI<yes or no>
 If enabled, a query is attempted without the forward clause if it fails.