diff --git a/destination.go b/destination.go
index dbcd2e9..0823671 100644
--- a/destination.go
+++ b/destination.go
@@ -260,7 +260,7 @@ func (d *destinationConn) runConnect(ctx context.Context, stream *quic.Stream, r
 		case err != nil:
 			return pbconnect.WriteError(stream, pberror.Code_DestinationRelayEncryptionError, "select encryption scheme: %v", err)
 		case encryption == model.TLSEncryption:
-			scfg, err := d.dst.getSourceTLS(req.Connect.SourceTls.ClientName)
+			scfg, err := d.dst.getSourceTLS(req.Connect.SourceTls.GetClientName())
 			if err != nil {
 				return pbconnect.WriteError(stream, pberror.Code_DestinationRelayEncryptionError, "destination tls: %v", err)
 			}
diff --git a/peer.go b/peer.go
index 0d972a1..0555d30 100644
--- a/peer.go
+++ b/peer.go
@@ -344,6 +344,10 @@ func (p *peer) newECDHConfig() (*ecdh.PrivateKey, *pbconnect.ECDHConfiguration,
 }
 
 func (p *peer) getECDHPublicKey(cfg *pbconnect.ECDHConfiguration) (*ecdh.PublicKey, error) {
+	if cfg == nil {
+		return nil, fmt.Errorf("missing ecdh configuration")
+	}
+
 	remotes, ok := p.peers.Peek()
 	if !ok {
 		return nil, fmt.Errorf("no peers found")
@@ -375,6 +379,9 @@ func (p *peer) getECDHPublicKey(cfg *pbconnect.ECDHConfiguration) (*ecdh.PublicK
 	if !ok {
 		return nil, fmt.Errorf("peer certificate has unexpected public key type %T", candidates[0].PublicKey)
 	}
+	if len(cfg.KeyTime) != 40 { // expected size is 32 (ECDG public key) + 8 (timestamp)
+		return nil, fmt.Errorf("keytime length check failed: %d", len(cfg.KeyTime))
+	}
 	if !ed25519.Verify(certPublic, cfg.KeyTime, cfg.Signature) {
 		return nil, fmt.Errorf("signature verification failed")
 	}
diff --git a/sources.go b/sources.go
index 24272be..6ac8084 100644
--- a/sources.go
+++ b/sources.go
@@ -191,7 +191,8 @@ func (s *HTTPSource) Run(ctx context.Context) error {
 						slogc.FineDefault("error writing proxy server error", "err", err)
 					}
 				default:
-					if _, err := fmt.Fprintf(w, "[source %s] %v", endpoint, err); err != nil {
+					slog.Log(context.Background(), slog.LevelInfo, "source dial failed", "err", err)
+					if _, err := fmt.Fprintf(w, "[source %s] failed to dial destination (check logs)", endpoint); err != nil {
 						slogc.FineDefault("error writing proxy server error", "err", err)
 					}
 				}