diff --git a/src/common/server.c b/src/common/server.c
index 70d8e288..b25e39b0 100644
--- a/src/common/server.c
+++ b/src/common/server.c
@@ -522,7 +522,7 @@ ssl_cb_verify (int ok, X509_STORE_CTX * ctx)
 	X509 *current_cert = X509_STORE_CTX_get_current_cert (ctx);
 
 	if (!current_cert)
-		return TRUE;
+		return ok;
 
 	X509_NAME_oneline (X509_get_subject_name (current_cert),
 	                   subject, sizeof (subject));
@@ -534,13 +534,21 @@ ssl_cb_verify (int ok, X509_STORE_CTX * ctx)
 	g_snprintf (buf, sizeof (buf), "* Issuer: %s", issuer);
 	EMIT_SIGNAL (XP_TE_SSLMESSAGE, g_sess, buf, NULL, NULL, NULL, 0);
 
-	return TRUE;
+	if (!ok)
+	{
+		int err = X509_STORE_CTX_get_error (ctx);
+		g_snprintf (buf, sizeof (buf), "* Verify E: %s (%d)",
+					 X509_verify_cert_error_string (err), err);
+		EMIT_SIGNAL (XP_TE_SSLMESSAGE, g_sess, buf, NULL, NULL, NULL, 0);
+	}
+
+	return ok;
 }
 
 static int
 ssl_do_connect (server * serv)
 {
-	char buf[256]; // ERR_error_string() MUST have this size
+	char buf[256];
 
 	g_sess = serv->server_session;
 
@@ -559,9 +567,10 @@ ssl_do_connect (server * serv)
 	if (SSL_connect (serv->ssl) <= 0)
 	{
 		char err_buf[128];
-		int err;
+		int err, ssl_err;
 
 		g_sess = NULL;
+		ssl_err = SSL_get_error (serv->ssl, -1);
 		if ((err = ERR_get_error ()) > 0)
 		{
 			ERR_error_string (err, err_buf);
@@ -571,6 +580,8 @@ ssl_do_connect (server * serv)
 
 			if (ERR_GET_REASON (err) == SSL_R_WRONG_VERSION_NUMBER)
 				PrintText (serv->server_session, _("Are you sure this is a SSL capable server and port?\n"));
+			else if (ssl_err == SSL_ERROR_SSL)
+				EMIT_SIGNAL (XP_TE_SSLMESSAGE, serv->server_session, "* TLS handshake rejected by protocol/certificate/cipher policy", NULL, NULL, NULL, 0);
 
 			server_cleanup (serv);
 
@@ -649,29 +660,13 @@ ssl_do_connect (server * serv)
 				int hostname_err;
 				if ((hostname_err = _SSL_check_hostname(cert, serv->hostname)) != 0)
 				{
-					g_snprintf (buf, sizeof (buf), "* Verify E: Failed to validate hostname? (%d)%s",
-							 hostname_err, serv->accept_invalid_cert ? " -- Ignored" : "");
-					if (serv->accept_invalid_cert)
-						EMIT_SIGNAL (XP_TE_SSLMESSAGE, serv->server_session, buf, NULL, NULL, NULL, 0);
-					else
-						goto conn_fail;
+					g_snprintf (buf, sizeof (buf), "* Verify E: Failed to validate hostname (%d)",
+							 hostname_err);
+					EMIT_SIGNAL (XP_TE_SSLMESSAGE, serv->server_session, buf, NULL, NULL, NULL, 0);
+					goto conn_fail;
 				}
 				break;
 			}
-		case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
-		case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
-		case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
-		case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
-		case X509_V_ERR_CERT_HAS_EXPIRED:
-			if (serv->accept_invalid_cert)
-			{
-				g_snprintf (buf, sizeof (buf), "* Verify E: %s.? (%d) -- Ignored",
-							 X509_verify_cert_error_string (verify_error),
-							 verify_error);
-				EMIT_SIGNAL (XP_TE_SSLMESSAGE, serv->server_session, buf, NULL, NULL,
-								 NULL, 0);
-				break;
-			}
 		default:
 			g_snprintf (buf, sizeof (buf), "%s.? (%d)",
 						 X509_verify_cert_error_string (verify_error),
diff --git a/src/common/ssl.c b/src/common/ssl.c
index e7f7e0a8..a1ebb038 100644
--- a/src/common/ssl.c
+++ b/src/common/ssl.c
@@ -86,15 +86,17 @@ _SSL_context_init (void (*info_cb_func))
 
 	SSLeay_add_ssl_algorithms ();
 	SSL_load_error_strings ();
-	ctx = SSL_CTX_new (SSLv23_client_method ());
+	ctx = SSL_CTX_new (TLS_client_method ());
 
 	SSL_CTX_set_session_cache_mode (ctx, SSL_SESS_CACHE_BOTH);
 	SSL_CTX_set_timeout (ctx, 300);
-	SSL_CTX_set_options (ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3
-							  |SSL_OP_NO_COMPRESSION
+	SSL_CTX_set_options (ctx, SSL_OP_NO_COMPRESSION
 							  |SSL_OP_SINGLE_DH_USE|SSL_OP_SINGLE_ECDH_USE
 							  |SSL_OP_NO_TICKET
-							  |SSL_OP_CIPHER_SERVER_PREFERENCE);
+							  |SSL_OP_NO_RENEGOTIATION);
+	SSL_CTX_set_min_proto_version (ctx, TLS1_2_VERSION);
+	SSL_CTX_set_cipher_list (ctx, "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!DSS");
+	SSL_CTX_set_ciphersuites (ctx, "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256");
 
 #if OPENSSL_VERSION_NUMBER >= 0x00908000L && !defined (OPENSSL_NO_COMP) /* workaround for OpenSSL 0.9.8 */
 	sk_SSL_COMP_zero(SSL_COMP_get_compression_methods());
@@ -311,7 +313,7 @@ _SSL_socket (SSL_CTX *ctx, int sd)
 #else
 	method = SSL_CTX_get_ssl_method (ctx);
 #endif
-	if (method == SSLv23_client_method())
+	if (method == TLS_client_method())
 		SSL_set_connect_state (ssl);
 	else
 	        SSL_set_accept_state(ssl);