diff --git a/CHANGES b/CHANGES
index 60bef5659..e9b187d3e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -7,6 +7,10 @@
                                   Changelog
 
 
+Daniel (10 January 2005)
+- Hzhijun reported a memory leak in the SSL certificate code, that leaked the
+  remote certificate name when it didn't match the used host name.
+
 Gisle (8 January 2005)
 - Added Makefile.Watcom files (src/lib). Updated Makefile.dist.
 
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 5c219d5a1..c336b1927 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -16,6 +16,7 @@ This release includes the following changes:
 
 This release includes the following bugfixes:
 
+ o SSL certificate name memory leak
  o -d with -G to multiple URLs crashed
  o double va_list access crash fixed
  o minor memory leak when "version" is set in a cookie header
@@ -31,6 +32,7 @@ This release would not have looked like this without help, code, reports and
 advice from friends like these:
 
  Dan Fandrich, Peter Pentchev, Marcin Konicki, Rune Kleveland, David Shaw,
- Werner Koch, Gisle Vanem, Alex Neblett, Kai Sommerfeld, Marty Kuhrt
+ Werner Koch, Gisle Vanem, Alex Neblett, Kai Sommerfeld, Marty Kuhrt,
+ Hzhijun
 
         Thanks! (and sorry if I forgot to mention someone)
diff --git a/lib/ssluse.c b/lib/ssluse.c
index fa2c64ec0..d7282d519 100644
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -1003,6 +1003,7 @@ static CURLcode verifyhost(struct connectdata *conn,
 #else
   struct in_addr addr;
 #endif
+  CURLcode res = CURLE_OK;
 
 #ifdef ENABLE_IPV6
   if(conn->bits.ipv6_ip &&
@@ -1131,8 +1132,7 @@ static CURLcode verifyhost(struct connectdata *conn,
       if(data->set.ssl.verifyhost > 1) {
         failf(data, "SSL: certificate subject name '%s' does not match "
               "target host name '%s'", peer_CN, conn->host.dispname);
-        OPENSSL_free(peer_CN);
-        return CURLE_SSL_PEER_CERTIFICATE ;
+        res = CURLE_SSL_PEER_CERTIFICATE;
       }
       else
         infof(data, "\t common name: %s (does not match '%s')\n",
@@ -1140,10 +1140,11 @@ static CURLcode verifyhost(struct connectdata *conn,
     }
     else {
       infof(data, "\t common name: %s (matched)\n", peer_CN);
-      OPENSSL_free(peer_CN);
     }
+    if(peer_CN)
+      OPENSSL_free(peer_CN);
   }
-  return CURLE_OK;
+  return res;
 }
 #endif