diff --git a/conn.go b/conn.go
index 78566fa..9bf9f21 100644
--- a/conn.go
+++ b/conn.go
@@ -675,5 +675,13 @@ func (c *Conn) PeerCertificates() []*x509.Certificate {
 // connecting to host.  If so, it returns nil; if not, it returns an os.Error
 // describing the problem.
 func (c *Conn) VerifyHostname(host string) os.Error {
-	return c.PeerCertificates()[0].VerifyHostname(host)
+	c.handshakeMutex.Lock()
+	defer c.handshakeMutex.Unlock()
+	if !c.isClient {
+		return os.ErrorString("VerifyHostname called on TLS server connection")
+	}
+	if !c.handshakeComplete {
+		return os.ErrorString("TLS handshake has not yet been performed")
+	}
+	return c.peerCertificates[0].VerifyHostname(host)
 }
diff --git a/tls.go b/tls.go
index 27e32cc..2aec160 100644
--- a/tls.go
+++ b/tls.go
@@ -67,7 +67,13 @@ func Dial(network, laddr, raddr string) (net.Conn, os.Error) {
 	if err != nil {
 		return nil, err
 	}
-	return Client(c, nil), nil
+	conn := Client(c, nil)
+	err = conn.Handshake()
+	if err == nil {
+		return conn, nil
+	}
+	c.Close()
+	return nil, err
 }
 
 // LoadX509KeyPair