2 files changed, 13 insertions, 3 deletions

diff --git a/docs/libcurl/opts/CURLOPT_SSL_VERIFYHOST.3 b/docs/libcurl/opts/CURLOPT_SSL_VERIFYHOST.3
index 159147327..acadd0774 100644
--- a/docs/libcurl/opts/CURLOPT_SSL_VERIFYHOST.3
+++ b/docs/libcurl/opts/CURLOPT_SSL_VERIFYHOST.3
@@ -58,9 +58,16 @@ The default value for this option is 2.
 
 This option controls checking the server's certificate's claimed identity.
 The server could be lying.  To control lying, see
-\fICURLOPT_SSL_VERIFYPEER(3)\fP.  If libcurl is built against NSS and
-\fICURLOPT_SSL_VERIFYPEER(3)\fP is zero, \fICURLOPT_SSL_VERIFYHOST(3)\fP is
-also set to zero and cannot be overridden.
+\fICURLOPT_SSL_VERIFYPEER(3)\fP.
+.SH LIMITATIONS
+DarwinSSL: If \fIverify\fP value is 0, then SNI is also disabled. SNI is a TLS
+extension that sends the hostname to the server. The server may use that
+information to do such things as sending back a specific certificate for the
+hostname, or forwarding the request to a specific origin server. Some hostnames
+may be inaccessible if SNI is not sent.
+
+NSS: If \fICURLOPT_SSL_VERIFYPEER(3)\fP is zero,
+\fICURLOPT_SSL_VERIFYHOST(3)\fP is also set to zero and cannot be overridden.
 .SH DEFAULT
 2
 .SH PROTOCOLS
diff --git a/lib/vtls/darwinssl.c b/lib/vtls/darwinssl.c
index 050bf960b..25a8ab8b6 100644
--- a/lib/vtls/darwinssl.c
+++ b/lib/vtls/darwinssl.c
@@ -1425,6 +1425,9 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
             "the OS.\n");
     }
   }
+  else {
+    infof(data, "WARNING: disabling hostname validation also disables SNI.\n");
+  }
 
   /* Disable cipher suites that ST supports but are not safe. These ciphers
      are unlikely to be used in any case since ST gives other ciphers a much