diff --git a/components/esp-tls/esp_tls.h b/components/esp-tls/esp_tls.h
index 324007126d2..c7802b94185 100644
--- a/components/esp-tls/esp_tls.h
+++ b/components/esp-tls/esp_tls.h
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2017-2025 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2017-2026 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -198,8 +198,14 @@ typedef struct esp_tls_cfg {
     const char *common_name;                /*!< If non-NULL, server certificate CN must match this name.
                                                  If NULL, server certificate CN must match hostname. */
 
-    bool skip_common_name;                  /*!< Skip any validation of server certificate CN field.
-                                                 This field should be set to false for SNI to function correctly. */
+    bool skip_common_name;                  /*!< When true, esp-tls skips the call to
+                                                 mbedtls_ssl_set_hostname(). This disables BOTH
+                                                 server-hostname matching against the certificate
+                                                 (CN/SAN) and Server Name Indication (SNI), not just
+                                                 the legacy CN field. Only set on loopback / debug
+                                                 clients that can tolerate the loss of hostname
+                                                 authentication. Must be false for SNI to function
+                                                 correctly. */
 
     tls_keep_alive_cfg_t *keep_alive_cfg;   /*!< Enable TCP keep-alive timeout for SSL connection */
 
diff --git a/components/esp-tls/esp_tls_mbedtls.c b/components/esp-tls/esp_tls_mbedtls.c
index 1afdcb13bbb..ebcfba4cf11 100644
--- a/components/esp-tls/esp_tls_mbedtls.c
+++ b/components/esp-tls/esp_tls_mbedtls.c
@@ -931,6 +931,9 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t
         }
         free(use_host);
     } else {
+        ESP_LOGW(TAG, "skip_common_name=true: hostname matching and SNI disabled. "
+                 "This disables ALL server-name authentication (CN/SAN/SNI), not just CN. "
+                 "Only intended for loopback / debug clients.");
         mbedtls_ssl_set_hostname(&tls->ssl, NULL);
     }
 
@@ -1003,10 +1006,6 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t
             ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ESP_TLS_ERR_TYPE_MBEDTLS, -ret);
             return ESP_ERR_MBEDTLS_SSL_CONF_PSK_FAILED;
         }
-#endif
-#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS
-    } else if (cfg->client_session != NULL) {
-        ESP_LOGD(TAG, "Reusing the saved client session");
 #endif
     } else {
 #ifdef CONFIG_ESP_TLS_SKIP_SERVER_CERT_VERIFY