lib/PublicInbox/DS.pm   |  4 ++--
 lib/PublicInbox/NNTP.pm |  2 +-
 t/nntpd-tls.t           | 17 +++++++++++++++++

diff --git a/lib/PublicInbox/DS.pm b/lib/PublicInbox/DS.pm
index 044b991c8c602abbee79a7b947ac3a21bacae50b..2c886b4e4ff64674b6d367be0b528c5322417cdf 100644
--- a/lib/PublicInbox/DS.pm
+++ b/lib/PublicInbox/DS.pm
@@ -293,8 +293,8 @@     #  being reused and confused during the event loop)
     while (my $sock = shift @ToClose) {
         my $fd = fileno($sock);
 
-        # close the socket.  (not a PublicInbox::DS close)
-        $sock->close;
+        # close the socket. (not a PublicInbox::DS close)
+        CORE::close($sock);
 
         # and now we can finally remove the fd from the map.  see
         # comment above in ->close.
diff --git a/lib/PublicInbox/NNTP.pm b/lib/PublicInbox/NNTP.pm
index 659e44d5501194499eac24634c81243282bd4441..8840adbb8a807aa2fb0a2741675a0d137b232320 100644
--- a/lib/PublicInbox/NNTP.pm
+++ b/lib/PublicInbox/NNTP.pm
@@ -101,7 +101,7 @@ 	my $self = fields::new($class);
 	my $ev = EPOLLOUT | EPOLLONESHOT;
 	my $wbuf = [];
 	if (ref($sock) eq 'IO::Socket::SSL' && !$sock->accept_SSL) {
-		$ev = PublicInbox::TLS::epollbit() or return $sock->close;
+		$ev = PublicInbox::TLS::epollbit() or return CORE::close($sock);
 		$ev |= EPOLLONESHOT;
 		$wbuf->[0] = \&PublicInbox::DS::accept_tls_step;
 	}
diff --git a/t/nntpd-tls.t b/t/nntpd-tls.t
index 53890ff26e4eb09f4c20ead092126022aee2c37b..4727ee5bb6f68e5e88e0e8f1cf180effad842f45 100644
--- a/t/nntpd-tls.t
+++ b/t/nntpd-tls.t
@@ -135,6 +135,23 @@ 	my $n = $c->command('STARTTLS')->response();
 	is($n, Net::Cmd::CMD_ERROR(), 'error attempting STARTTLS again');
 	is($c->code, 502, '502 according to RFC 4642 sec#2.2.1');
 
+	# STARTTLS with bad hostname
+	$o{SSL_hostname} = $o{SSL_verifycn_name} = 'server.invalid';
+	$c = Net::NNTP->new($starttls_addr, %o);
+	$list = $c->list;
+	is_deeply($list, $expect, 'plain LIST works again');
+	ok(!$c->starttls, 'STARTTLS fails with bad hostname');
+	$c = Net::NNTP->new($starttls_addr, %o);
+	$list = $c->list;
+	is_deeply($list, $expect, 'not broken after bad negotiation');
+
+	# NNTPS with bad hostname
+	$c = Net::NNTP->new($nntps_addr, %o, SSL => 1);
+	is($c, undef, 'NNTPS fails with bad hostname');
+	$o{SSL_hostname} = $o{SSL_verifycn_name} = 'server.local';
+	$c = Net::NNTP->new($nntps_addr, %o, SSL => 1);
+	ok($c, 'NNTPS succeeds again with valid hostname');
+
 	$c = undef;
 	kill('TERM', $pid);
 	is($pid, waitpid($pid, 0), 'nntpd exited successfully');