diff --git a/.gitignore b/.gitignore
index 7dbbb248f7..1e73160fe9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -38,7 +38,6 @@
 .tags_sorted_by_file
 .target
 .worksheet
-Makefile
 TAGS
 _akka_cluster/
 _dump
diff --git a/akka-remote/src/test/resources/Makefile b/akka-remote/src/test/resources/Makefile
new file mode 100644
index 0000000000..5343762ec5
--- /dev/null
+++ b/akka-remote/src/test/resources/Makefile
@@ -0,0 +1,17 @@
+all: truststore keystore
+
+truststore: domain.crt
+	keytool -importcert -file domain.crt -keystore truststore -deststorepass changeme
+
+keystore: domain.crt domain.key
+	openssl pkcs12 -export -inkey domain.key -passin pass:changeme -in domain.crt -out keystore -passout pass:changeme
+
+domain.crt: domain.csr domain.key
+	openssl x509 -req -in domain.csr -sha256 -extfile <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:localhost")) -out domain.crt -extensions SAN -signkey domain.key
+
+domain.csr:
+	openssl req -new -sha256 -key domain.key -subj "/C=ZA/ST=web/O=Lightbend/CN=akka-remote" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:localhost")) -out domain.csr -passout pass:changeme
+
+.PHONY: clean
+clean:
+	rm domain.crt domain.csr keystore truststore
diff --git a/akka-remote/src/test/resources/keystore b/akka-remote/src/test/resources/keystore
index ee5581d930..a76d66d7ab 100644
Binary files a/akka-remote/src/test/resources/keystore and b/akka-remote/src/test/resources/keystore differ
diff --git a/akka-remote/src/test/resources/truststore b/akka-remote/src/test/resources/truststore
index cc07616dad..f70de5dde2 100644
Binary files a/akka-remote/src/test/resources/truststore and b/akka-remote/src/test/resources/truststore differ
diff --git a/akka-remote/src/test/scala/akka/remote/artery/ArterySpecSupport.scala b/akka-remote/src/test/scala/akka/remote/artery/ArterySpecSupport.scala
index 560a96b9ba..3acb3f7ed6 100644
--- a/akka-remote/src/test/scala/akka/remote/artery/ArterySpecSupport.scala
+++ b/akka-remote/src/test/scala/akka/remote/artery/ArterySpecSupport.scala
@@ -22,7 +22,7 @@ object ArterySpecSupport {
         provider = remote
         serialize-creators = off
       }
-      akka.remote.warn-about-direct-use = off
+      remote.warn-about-direct-use = off
       remote.artery {
         enabled = on
         canonical {
diff --git a/akka-remote/src/test/scala/akka/remote/artery/tcp/TlsTcpSpec.scala b/akka-remote/src/test/scala/akka/remote/artery/tcp/TlsTcpSpec.scala
index 7b369cce26..d48f39932b 100644
--- a/akka-remote/src/test/scala/akka/remote/artery/tcp/TlsTcpSpec.scala
+++ b/akka-remote/src/test/scala/akka/remote/artery/tcp/TlsTcpSpec.scala
@@ -25,6 +25,8 @@ import com.typesafe.config.Config
 import com.typesafe.config.ConfigFactory
 import javax.net.ssl.SSLEngine
 
+import akka.testkit.EventFilter
+
 class TlsTcpWithDefaultConfigSpec extends TlsTcpSpec(ConfigFactory.empty())
 
 class TlsTcpWithSHA1PRNGSpec
@@ -183,22 +185,65 @@ class TlsTcpWithHostnameVerificationSpec
     akka.remote.artery.ssl.config-ssl-engine {
       hostname-verification = on
     }
+    akka.remote.use-unsafe-remote-features-without-cluster = on
+
+    akka.loggers = ["akka.testkit.TestEventListener"]
     """).withFallback(TlsTcpSpec.config))
     with ImplicitSender {
 
-  val systemB = newRemoteSystem(name = Some("systemB"))
-  val addressB = address(systemB)
-  val rootB = RootActorPath(addressB)
-
   "Artery with TLS/TCP and hostname-verification=on" must {
-    "reject invalid" in {
+    "fail when the name in the server certificate does not match" in {
       // this test only makes sense with tls-tcp transport
       if (!arteryTcpTlsEnabled())
         pending
 
+      val systemB = newRemoteSystem(
+        // The subjectAltName is 'localhost', so connecting to '127.0.0.1' should not
+        // work when using hostname verification:
+        extraConfig = Some("""akka.remote.artery.canonical.hostname = "127.0.0.1""""),
+        name = Some("systemB"))
+
+      val addressB = address(systemB)
+      val rootB = RootActorPath(addressB)
+
+      systemB.actorOf(TestActors.echoActorProps, "echo")
+      EventFilter
+        .warning(
+          pattern =
+            "outbound connection to \\[akka://systemB@127.0.0.1:.*" +
+            "Upstream failed, cause: SSLHandshakeException: General SSLEngine problem",
+          occurrences = 3)
+        .intercept {
+          system.actorSelection(rootB / "user" / "echo") ! Identify("echo")
+        }
+      expectNoMessage(2.seconds)
+      systemB.terminate()
+    }
+    "succeed when the name in the server certificate matches" in {
+      if (!arteryTcpTlsEnabled())
+        pending
+
+      val systemB = newRemoteSystem(
+        extraConfig = Some("""
+          // The subjectAltName is 'localhost', so this is how we want to be known:
+          akka.remote.artery.canonical.hostname = "localhost"
+
+          // Though we will still bind to 127.0.0.1 (make sure it's not ipv6)
+          akka.remote.artery.bind.hostname = "127.0.0.1"
+        """),
+        name = Some("systemB"))
+
+      val addressB = address(systemB)
+      val rootB = RootActorPath(addressB)
+
       systemB.actorOf(TestActors.echoActorProps, "echo")
       system.actorSelection(rootB / "user" / "echo") ! Identify("echo")
-      expectNoMessage(2.seconds)
+      val id = expectMsgType[ActorIdentity]
+
+      id.ref.get ! "42"
+      expectMsg("42")
+
+      systemB.terminate()
     }
   }
 }