diff --git a/include/libwebsockets/lws-client.h b/include/libwebsockets/lws-client.h
index 43511f588..2f1a2df75 100644
--- a/include/libwebsockets/lws-client.h
+++ b/include/libwebsockets/lws-client.h
@@ -38,6 +38,7 @@ enum lws_client_connect_ssl_connection_flags {
 	LCCSCF_ALLOW_SELFSIGNED			= (1 << 1),
 	LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK	= (1 << 2),
 	LCCSCF_ALLOW_EXPIRED			= (1 << 3),
+	LCCSCF_ALLOW_INSECURE			= (1 << 4),
 
 	LCCSCF_PIPELINE				= (1 << 16),
 		/**< Serialize / pipeline multiple client connections
diff --git a/lib/tls/openssl/openssl-client.c b/lib/tls/openssl/openssl-client.c
index f822f631c..47a6fbc5e 100644
--- a/lib/tls/openssl/openssl-client.c
+++ b/lib/tls/openssl/openssl-client.c
@@ -65,6 +65,12 @@ OpenSSL_client_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
 					    "certificate (verify_callback)\n");
 				X509_STORE_CTX_set_error(x509_ctx, X509_V_OK);
 				return 1;	// ok
+		} else if ((err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
+			    err == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) &&
+			    wsi->tls.use_ssl & LCCSCF_ALLOW_INSECURE) {
+				lwsl_notice("accepting non-trusted certificate\n");
+				X509_STORE_CTX_set_error(x509_ctx, X509_V_OK);
+				return 1;  /* ok */
 			} else if ((err == X509_V_ERR_CERT_NOT_YET_VALID ||
 				    err == X509_V_ERR_CERT_HAS_EXPIRED) &&
 				    wsi->tls.use_ssl & LCCSCF_ALLOW_EXPIRED) {
diff --git a/minimal-examples/http-client/minimal-http-client/README.md b/minimal-examples/http-client/minimal-http-client/README.md
index a3ac8d682..3113aa022 100644
--- a/minimal-examples/http-client/minimal-http-client/README.md
+++ b/minimal-examples/http-client/minimal-http-client/README.md
@@ -16,6 +16,11 @@ Commandline option|Meaning
 -d <loglevel>|Debug verbosity in decimal, eg, -d15
 -l| Connect to https://localhost:7681 and accept selfsigned cert
 --h1|Specify http/1.1 only using ALPN, rejects h2 even if server supports it
+--server <name>|set server name to connect to
+-k|Apply tls option LCCSCF_ALLOW_INSECURE
+-j|Apply tls option LCCSCF_ALLOW_SELFSIGNED
+-m|Apply tls option LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK
+-e|Apply tls option LCCSCF_ALLOW_EXPIRED
 
 ```
  $ ./lws-minimal-http-client
diff --git a/minimal-examples/http-client/minimal-http-client/minimal-http-client.c b/minimal-examples/http-client/minimal-http-client/minimal-http-client.c
index 1dc1be741..54a420ed2 100644
--- a/minimal-examples/http-client/minimal-http-client/minimal-http-client.c
+++ b/minimal-examples/http-client/minimal-http-client/minimal-http-client.c
@@ -173,6 +173,21 @@ int main(int argc, const char **argv)
 	if ((p = lws_cmdline_option(argc, argv, "-p")))
 		i.port = atoi(p);
 
+	if (lws_cmdline_option(argc, argv, "-j"))
+		i.ssl_connection |= LCCSCF_ALLOW_SELFSIGNED;
+
+	if (lws_cmdline_option(argc, argv, "-k"))
+		i.ssl_connection |= LCCSCF_ALLOW_INSECURE;
+
+	if (lws_cmdline_option(argc, argv, "-m"))
+		i.ssl_connection |= LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK;
+
+	if (lws_cmdline_option(argc, argv, "-e"))
+		i.ssl_connection |= LCCSCF_ALLOW_EXPIRED;
+
+	if ((p = lws_cmdline_option(argc, argv, "--server")))
+		i.address = p;
+
 	i.path = "/";
 	i.host = i.address;
 	i.origin = i.address;