diff --git a/src/util.cc b/src/util.cc
index bebd40b0..3e0e9493 100644
--- a/src/util.cc
+++ b/src/util.cc
@@ -1636,39 +1636,37 @@ bool noProxyDomainMatch
 
 bool tlsHostnameMatch(const std::string& pattern, const std::string& hostname)
 {
-  // Do case-insensitive match. At least 2 dots are required to enable
-  // wildcard match.
+  std::string::const_iterator ptWildcard = std::find(pattern.begin(),
+                                                     pattern.end(),
+                                                     '*');
+  if(ptWildcard == pattern.end()) {
+    return strieq(pattern.begin(), pattern.end(),
+                  hostname.begin(), hostname.end());
+  }
   std::string::const_iterator ptLeftLabelEnd = std::find(pattern.begin(),
                                                          pattern.end(),
                                                          '.');
   bool wildcardEnabled = true;
+  // Do case-insensitive match. At least 2 dots are required to enable
+  // wildcard match. Also wildcard must be in the left-most label.
+  // Don't attempt to match a presented identifier where the wildcard
+  // character is embedded within an A-label.
   if(ptLeftLabelEnd == pattern.end() ||
-     std::find(ptLeftLabelEnd+1, pattern.end(), '.') == pattern.end()) {
+     std::find(ptLeftLabelEnd+1, pattern.end(), '.') == pattern.end() ||
+     ptLeftLabelEnd < ptWildcard ||
+     istartsWith(pattern, "xn--")) {
     wildcardEnabled = false;
   }
   if(!wildcardEnabled) {
     return strieq(pattern.begin(), pattern.end(),
                   hostname.begin(), hostname.end());
   }
-  std::string::const_iterator ptWildcard = std::find(pattern.begin(),
-                                                     ptLeftLabelEnd,
-                                                     '*');
-  if(ptWildcard == ptLeftLabelEnd) {
-    return strieq(pattern.begin(), pattern.end(),
-                  hostname.begin(), hostname.end());
-  }
   std::string::const_iterator hnLeftLabelEnd = std::find(hostname.begin(),
                                                          hostname.end(),
                                                          '.');
   if(!strieq(ptLeftLabelEnd, pattern.end(), hnLeftLabelEnd, hostname.end())) {
     return false;
   }
-  // Don't attempt to match a presented identifier where the wildcard
-  // character is embedded within an A-label.
-  if(istartsWith(pattern, "xn--")) {
-    return strieq(pattern.begin(), ptLeftLabelEnd,
-                  hostname.begin(), hnLeftLabelEnd);
-  }
   // Perform wildcard match. Here '*' must match at least one
   // character.
   if(hnLeftLabelEnd - hostname.begin() < ptLeftLabelEnd - pattern.begin()) {