diff --git a/lib/tls/mbedtls/mbedtls-client.c b/lib/tls/mbedtls/mbedtls-client.c
index 9897b55a8..7f9651feb 100644
--- a/lib/tls/mbedtls/mbedtls-client.c
+++ b/lib/tls/mbedtls/mbedtls-client.c
@@ -74,6 +74,7 @@ lws_ssl_client_bio_create(struct lws *wsi)
 	char hostname[128], *p;
 	const char *alpn_comma = wsi->a.context->tls.alpn_default;
 	struct alpn_ctx protos;
+	int fl = SSL_VERIFY_PEER;
 
 	if (wsi->stash)
 		lws_strncpy(hostname, wsi->stash->cis[CIS_HOST], sizeof(hostname));
@@ -117,7 +118,9 @@ lws_ssl_client_bio_create(struct lws *wsi)
 		/* Enable automatic hostname checks */
 	//	X509_VERIFY_PARAM_set_hostflags(param,
 	//				X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
-		X509_VERIFY_PARAM_set1_host(param, hostname, 0);
+		lwsl_info("%s: setting hostname %s\n", __func__, hostname);
+		if (X509_VERIFY_PARAM_set1_host(param, hostname, 0) != 1)
+			return -1;
 	}
 
 	if (wsi->a.vhost->tls.alpn)
@@ -143,6 +146,14 @@ lws_ssl_client_bio_create(struct lws *wsi)
 	/* with mbedtls, protos is not pointed to after exit from this call */
 	SSL_set_alpn_select_cb(wsi->tls.ssl, &protos);
 
+	if (wsi->flags & LCCSCF_ALLOW_SELFSIGNED) {
+		lwsl_notice("%s: allowing selfsigned\n", __func__);
+		fl = SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+	}
+
+	if (wsi->flags & LCCSCF_ALLOW_INSECURE)
+		fl = SSL_VERIFY_NONE;
+
 	/*
 	 * use server name indication (SNI), if supported,
 	 * when establishing connection
@@ -150,6 +161,8 @@ lws_ssl_client_bio_create(struct lws *wsi)
 #if defined(LWS_WITH_TLS_JIT_TRUST)
 	SSL_set_verify(wsi->tls.ssl, SSL_VERIFY_PEER,
 			lws_mbedtls_client_verify_callback);
+#else
+	SSL_set_verify(wsi->tls.ssl, fl, NULL);
 #endif
 
 	SSL_set_fd(wsi->tls.ssl, (int)wsi->desc.sockfd);
@@ -406,7 +419,7 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh,
 		vh->tls.x509_client_CA = d2i_X509(NULL, buf, (long)len);
 		free(buf);
 
-		lwsl_info("Loading client CA for verification %s\n", ca_filepath);
+		lwsl_info("Loading vh %s client CA for verification %s\n", vh->name, ca_filepath);
 #endif
 	} else {
 		vh->tls.x509_client_CA = d2i_X509(NULL, (uint8_t*)ca_mem, (long)ca_mem_len);
diff --git a/lib/tls/mbedtls/wrapper/platform/ssl_pm.c b/lib/tls/mbedtls/wrapper/platform/ssl_pm.c
index 669ef4ef4..f67da544f 100755
--- a/lib/tls/mbedtls/wrapper/platform/ssl_pm.c
+++ b/lib/tls/mbedtls/wrapper/platform/ssl_pm.c
@@ -242,18 +242,18 @@ void ssl_pm_free(SSL *ssl)
  */
 static int ssl_pm_reload_crt(SSL *ssl)
 {
-    int ret;
-    int mode;
-    struct ssl_pm *ssl_pm = ssl->ssl_pm;
     struct x509_pm *ca_pm = (struct x509_pm *)ssl->client_CA->x509_pm;
+    struct ssl_pm *ssl_pm = ssl->ssl_pm;
+    int ret = 0;
+    int mode;
 
     struct pkey_pm *pkey_pm = (struct pkey_pm *)ssl->cert->pkey->pkey_pm;
     struct x509_pm *crt_pm = (struct x509_pm *)ssl->cert->x509->x509_pm;
 
     if (ssl->verify_mode == SSL_VERIFY_PEER)
-        mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
-    else if (ssl->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
         mode = MBEDTLS_SSL_VERIFY_REQUIRED;
+    else if (ssl->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
+        mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
     else if (ssl->verify_mode == SSL_VERIFY_CLIENT_ONCE)
         mode = MBEDTLS_SSL_VERIFY_UNSET;
     else
@@ -261,19 +261,15 @@ static int ssl_pm_reload_crt(SSL *ssl)
 
     mbedtls_ssl_conf_authmode(&ssl_pm->conf, mode);
 
-    if (ca_pm->x509_crt) {
+    if (ca_pm->x509_crt)
         mbedtls_ssl_conf_ca_chain(&ssl_pm->conf, ca_pm->x509_crt, NULL);
-    } else if (ca_pm->ex_crt) {
+    else if (ca_pm->ex_crt)
         mbedtls_ssl_conf_ca_chain(&ssl_pm->conf, ca_pm->ex_crt, NULL);
-    }
 
-    if (crt_pm->x509_crt && pkey_pm->pkey) {
+    if (crt_pm->x509_crt && pkey_pm->pkey)
         ret = mbedtls_ssl_conf_own_cert(&ssl_pm->conf, crt_pm->x509_crt, pkey_pm->pkey);
-    } else if (crt_pm->ex_crt && pkey_pm->ex_pkey) {
+    else if (crt_pm->ex_crt && pkey_pm->ex_pkey)
         ret = mbedtls_ssl_conf_own_cert(&ssl_pm->conf, crt_pm->ex_crt, pkey_pm->ex_pkey);
-    } else {
-        ret = 0;
-    }
 
     if (ret) {
         SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_conf_own_cert() return -0x%x", -ret);
@@ -967,7 +963,7 @@ void SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx)
 #if defined(LWS_HAVE_mbedtls_ssl_set_hs_authmode)
 
 	if (ctx->verify_mode == SSL_VERIFY_PEER)
-		mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
+		mode = MBEDTLS_SSL_VERIFY_REQUIRED;
 	else if (ctx->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
 		mode = MBEDTLS_SSL_VERIFY_REQUIRED;
 	else if (ctx->verify_mode == SSL_VERIFY_CLIENT_ONCE)
diff --git a/minimal-examples/http-client/minimal-http-client/CMakeLists.txt b/minimal-examples/http-client/minimal-http-client/CMakeLists.txt
index 5cedc8b54..8c42ae9f7 100644
--- a/minimal-examples/http-client/minimal-http-client/CMakeLists.txt
+++ b/minimal-examples/http-client/minimal-http-client/CMakeLists.txt
@@ -14,6 +14,7 @@ set(has_plugins 1)
 set(has_ss_policy_parse 1)
 set(has_no_system_vhost 1)
 set(has_async_dns 1)
+set(has_mbedtls 1)
 
 set(requirements 1)
 
@@ -34,6 +35,7 @@ require_lws_config(LWS_WITH_SYS_NTPCLIENT 0 has_no_system_vhost)
 require_lws_config(LWS_WITH_SYS_DHCP_CLIENT 0 has_no_system_vhost)
 
 require_lws_config(LWS_WITH_SYS_ASYNC_DNS 1 has_async_dns)
+require_lws_config(LWS_WITH_MBEDTLS 1 has_mbedtls)
 
 if (requirements)
 	add_executable(${SAMP} ${SRCS})
@@ -124,7 +126,7 @@ if (requirements)
 			
 			if (has_async_dns)
 				list(APPEND mytests http-client-fi-connfail)
-				add_test(NAME http-client-fi-connfail COMMAND lws-minimal-http-client --expected-exit 3 --fault-injection "wsi=user/connfail")
+				add_test(NAME http-client-fi-connfail COMMAND lws-minimal-http-client --expected-exit 2 --fault-injection "wsi=user/connfail")
 			else()
 				list(APPEND mytests http-client-fi-connfail)
 				add_test(NAME http-client-fi-connfail COMMAND lws-minimal-http-client --expected-exit 2 --fault-injection "wsi=user/connfail")
@@ -132,10 +134,16 @@ if (requirements)
 			
 			list(APPEND mytests http-client-fi-user-est-fail)
 			add_test(NAME http-client-fi-user-est-fail COMMAND lws-minimal-http-client --expected-exit 3 --fault-injection "wsi/user_reject_at_est")	
-		
 			
 		endif()
-		
+		if (has_mbedtls)
+			list(APPEND mytests http-client-mbedtls-wrong-ca)
+			add_test(NAME http-client-mbedtls-wrong-ca COMMAND lws-minimal-http-client -w --expected-exit 3)
+			message("... adding mbedtls wrong CA test")
+		else()
+			message("... skipping mbedtls wrong CA test")
+		endif()
+	
 		set_tests_properties(${mytests} PROPERTIES
 		     WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/minimal-examples/http-client/minimal-http-client
 		     TIMEOUT 20)
diff --git a/minimal-examples/http-client/minimal-http-client/README.md b/minimal-examples/http-client/minimal-http-client/README.md
index c37549cf3..09df8ef08 100644
--- a/minimal-examples/http-client/minimal-http-client/README.md
+++ b/minimal-examples/http-client/minimal-http-client/README.md
@@ -22,6 +22,7 @@ Commandline option|Meaning
 -m|Apply tls option LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK
 -e|Apply tls option LCCSCF_ALLOW_EXPIRED
 -b|Apply tls option LCCSCF_CACHE_COOKIES
+-w|For mbedtls/wolfssl, load wrong CA cert (expected to fail)
 -c <cookie jar file>|Set filepath used for cookie jar
 -v|Connection validity use 3s / 10s instead of default 5m / 5m10s
 --nossl| disable ssl connection
diff --git a/minimal-examples/http-client/minimal-http-client/minimal-http-client.c b/minimal-examples/http-client/minimal-http-client/minimal-http-client.c
index 246b18325..f151356f3 100644
--- a/minimal-examples/http-client/minimal-http-client/minimal-http-client.c
+++ b/minimal-examples/http-client/minimal-http-client/minimal-http-client.c
@@ -1,7 +1,7 @@
 /*
  * lws-minimal-http-client
  *
- * Written in 2010-2019 by Andy Green <andy@warmcat.com>
+ * Written in 2010-2021 by Andy Green <andy@warmcat.com>
  *
  * This file is made available under the Creative Commons CC0 1.0
  * Universal Public Domain Dedication.
@@ -385,7 +385,11 @@ int main(int argc, const char **argv)
 	 * OpenSSL uses the system trust store.  mbedTLS has to be told which
 	 * CA to trust explicitly.
 	 */
-	info.client_ssl_ca_filepath = "./warmcat.com.cer";
+	if (lws_cmdline_option(argc, argv, "-w"))
+		/* option to confirm we are validating against the right cert */
+		info.client_ssl_ca_filepath = "./wrong.cer";
+	else
+		info.client_ssl_ca_filepath = "./warmcat.com.cer";
 #endif
 #if 0
 	n = open("./warmcat.com.cer", O_RDONLY);
diff --git a/minimal-examples/http-client/minimal-http-client/wrong.cer b/minimal-examples/http-client/minimal-http-client/wrong.cer
new file mode 100644
index 000000000..350356673
--- /dev/null
+++ b/minimal-examples/http-client/minimal-http-client/wrong.cer
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF
+ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
+b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL
+MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv
+b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj
+ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM
+9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw
+IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6
+VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L
+93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm
+jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
+AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA
+A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI
+U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs
+N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv
+o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU
+5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy
+rqXRfboQnoZsG4q5WTP468SQvvG5
+-----END CERTIFICATE-----
+