diff --git a/TunnelKit/Sources/Core/SessionProxy.swift b/TunnelKit/Sources/Core/SessionProxy.swift
index e045c68..3a45bf3 100644
--- a/TunnelKit/Sources/Core/SessionProxy.swift
+++ b/TunnelKit/Sources/Core/SessionProxy.swift
@@ -771,7 +771,8 @@ public class SessionProxy {
             negotiationKey.tlsOptional = TLSBox(
                 caPath: caURL.path,
                 clientCertificatePath: (configuration.clientCertificate != nil) ? clientCertificateURL.path : nil,
-                clientKeyPath: (configuration.clientKey != nil) ? clientKeyURL.path : nil
+                clientKeyPath: (configuration.clientKey != nil) ? clientKeyURL.path : nil,
+                checksEKU: true
             )
             do {
                 try negotiationKey.tls.start()
diff --git a/TunnelKit/Sources/Core/TLSBox.h b/TunnelKit/Sources/Core/TLSBox.h
index 76e6d54..16194f5 100644
--- a/TunnelKit/Sources/Core/TLSBox.h
+++ b/TunnelKit/Sources/Core/TLSBox.h
@@ -55,7 +55,8 @@ extern NSString *const TLSBoxPeerVerificationErrorNotification;
 
 - (instancetype)initWithCAPath:(NSString *)caPath
          clientCertificatePath:(nullable NSString *)clientCertificatePath
-                 clientKeyPath:(nullable NSString *)clientKeyPath;
+                 clientKeyPath:(nullable NSString *)clientKeyPath
+                     checksEKU:(BOOL)checksEKU;
 
 - (BOOL)startWithError:(NSError **)error;
 
diff --git a/TunnelKit/Sources/Core/TLSBox.m b/TunnelKit/Sources/Core/TLSBox.m
index 65f9a78..6a7a532 100644
--- a/TunnelKit/Sources/Core/TLSBox.m
+++ b/TunnelKit/Sources/Core/TLSBox.m
@@ -65,6 +65,7 @@ int TLSBoxVerifyPeer(int ok, X509_STORE_CTX *ctx) {
 @property (nonatomic, strong) NSString *caPath;
 @property (nonatomic, strong) NSString *clientCertificatePath;
 @property (nonatomic, strong) NSString *clientKeyPath;
+@property (nonatomic, assign) BOOL checksEKU;
 @property (nonatomic, assign) BOOL isConnected;
 
 @property (nonatomic, unsafe_unretained) SSL_CTX *ctx;
@@ -105,12 +106,16 @@ int TLSBoxVerifyPeer(int ok, X509_STORE_CTX *ctx) {
     return nil;
 }
 
-- (instancetype)initWithCAPath:(NSString *)caPath clientCertificatePath:(NSString *)clientCertificatePath clientKeyPath:(NSString *)clientKeyPath
+- (instancetype)initWithCAPath:(NSString *)caPath
+         clientCertificatePath:(NSString *)clientCertificatePath
+                 clientKeyPath:(NSString *)clientKeyPath
+                     checksEKU:(BOOL)checksEKU
 {
     if ((self = [super init])) {
         self.caPath = caPath;
         self.clientCertificatePath = clientCertificatePath;
         self.clientKeyPath = clientKeyPath;
+        self.checksEKU = checksEKU;
         self.bufferCipherText = allocate_safely(TLSBoxMaxBufferLength);
     }
     return self;
@@ -196,7 +201,7 @@ int TLSBoxVerifyPeer(int ok, X509_STORE_CTX *ctx) {
     if (!self.isConnected && SSL_is_init_finished(self.ssl)) {
         self.isConnected = YES;
 
-        if (![self verifyEKUWithSSL:self.ssl]) {
+        if (self.checksEKU && ![self verifyEKUWithSSL:self.ssl]) {
             if (error) {
                 *error = TunnelKitErrorWithCode(TunnelKitErrorCodeTLSBoxServerEKU);
             }