Expected behavior of tcp/input/ssl_verify=true?

logstash 8.7.1, tcp input w/ssl_verify=true. I expect that a sender using a cert w/no SANS and the sender’s host name does not match the cert’s CN would be rejected, but it is accepted. What does ssl_verify=true govern?