diff --git a/packages/@aws-cdk/aws-iam/lib/oidc-provider/external.ts b/packages/@aws-cdk/aws-iam/lib/oidc-provider/external.ts
index d926caf405e22..4ad18aed4f17d 100644
--- a/packages/@aws-cdk/aws-iam/lib/oidc-provider/external.ts
+++ b/packages/@aws-cdk/aws-iam/lib/oidc-provider/external.ts
@@ -28,7 +28,7 @@ async function downloadThumbprint(issuerUrl: string) {
     if (!purl.host) {
       return ko(new Error(`unable to determine host from issuer url ${issuerUrl}`));
     }
-    const socket = tls.connect(port, purl.host, { rejectUnauthorized: false });
+    const socket = tls.connect(port, purl.host, { rejectUnauthorized: false, servername: purl.host });
     socket.once('error', ko);
     socket.once('secureConnect', () => {
       const cert = socket.getPeerCertificate();