diff --git a/m2crypto-0.21.1-SAN-ip.patch b/m2crypto-0.21.1-SAN-ip.patch
new file mode 100644
index 0000000..ab593a8
--- /dev/null
+++ b/m2crypto-0.21.1-SAN-ip.patch
@@ -0,0 +1,57 @@
+diff -ur M2Crypto/M2Crypto/SSL/Checker.py M2Crypto-0.21.1/M2Crypto/SSL/Checker.py
+--- M2Crypto/M2Crypto/SSL/Checker.py	2011-01-15 20:10:05.000000000 +0100
++++ M2Crypto-0.21.1/M2Crypto/SSL/Checker.py	2015-07-07 16:41:53.887094222 +0200
+@@ -11,6 +11,7 @@
+            'WrongHost', 'Checker']
+ 
+ from M2Crypto import util, EVP, m2
++import socket
+ import re
+ 
+ class SSLVerificationError(Exception):
+@@ -161,6 +162,10 @@
+                 self.useSubjectAltNameOnly = True
+                 if self._match(host, certHost[4:]):
+                     return True
++            elif certHost[:11] == 'ip address:':
++                self.useSubjectAltNameOnly = True
++                if self._matchIPAddress(host, certHost[11:]):
++                    return True
+         return False
+         
+ 
+@@ -218,6 +223,34 @@
+ 
+         return False
+ 
++    def _matchIPAddress(self, host, certHost):
++        """
++        >>> check = Checker()
++        >>> check._matchIPAddress(host='my.example.com', certHost='my.example.com')
++        False
++        >>> check._matchIPAddress(host='1.2.3.4', certHost='1.2.3.4')
++        True
++        >>> check._matchIPAddress(host='1.2.3.4', certHost='*.2.3.4')
++        False
++        >>> check._matchIPAddress(host='1.2.3.4', certHost='1.2.3.40')
++        False
++        >>> check._matchIPAddress(host='::1', certHost='::1')
++        True
++        >>> check._matchIPAddress(host='::1', certHost='0:0:0:0:0:0:0:1')
++        True
++        >>> check._matchIPAddress(host='::1', certHost='::2')
++        False
++        """
++        try:
++            canonical = socket.getaddrinfo(host, 0, 0, socket.SOCK_STREAM, 0,
++                                           socket.AI_NUMERICHOST)
++            certCanonical = socket.getaddrinfo(certHost, 0, 0,
++                                               socket.SOCK_STREAM, 0,
++                                               socket.AI_NUMERICHOST)
++        except:
++            return False
++        return canonical == certCanonical
++
+ 
+ if __name__ == '__main__':
+     import doctest
diff --git a/m2crypto.spec b/m2crypto.spec
index 1b519ad..a7c74fd 100644
--- a/m2crypto.spec
+++ b/m2crypto.spec
@@ -54,6 +54,8 @@ Patch20: m2crypto-0.21.1-tests-no-ssl23-2.patch
 Patch21: m2crypto-0.21.1-tests-smime-sha256.patch
 # https://github.com/martinpaljak/M2Crypto/issues/70
 Patch22: m2crypto-0.21.1-test_cookie_str_changed.patch
+# https://github.com/martinpaljak/M2Crypto/issues/19
+Patch23: m2crypto-0.21.1-SAN-ip.patch
 
 License: MIT
 Group: System Environment/Libraries
@@ -93,6 +95,7 @@ openssl x509 -in tests/x509.pem -out tests/x509.der -outform DER
 %patch20 -p1 -b .no-ssl23-2
 %patch21 -p1 -b .tests-smime-sha256
 %patch22 -p1 -b .test_cookie_str_changed
+%patch23 -p1 -b .SAN-ip
 
 # Red Hat opensslconf.h #includes an architecture-specific file, but SWIG
 # doesn't follow the #include.
@@ -160,6 +163,8 @@ rm tests/*.{pem,py}.* # Patch backup files
 * Fri Oct 9 2015 Miloslav Trmač <mitr@redhat.com> - 0.21.1-21
 - Fix spurious failures of test_cookie_str_changed_mac
   Resolves: #1270016
+- Add support for IP addresses in subjectAltName
+  Resolves: #1080142
 
 * Sat Jul 11 2015 Miloslav Trmač <mitr@redhat.com> - 0.21.1-20
 - Fix build with swig-3.0.5