diff --git a/lib/libwebsockets.h b/lib/libwebsockets.h
index a65486d0..2de732e5 100644
--- a/lib/libwebsockets.h
+++ b/lib/libwebsockets.h
@@ -1983,7 +1983,8 @@ struct lws_http_mount {
 enum lws_client_connect_ssl_connection_flags {
 	LCCSCF_USE_SSL 				= (1 << 0),
 	LCCSCF_ALLOW_SELFSIGNED			= (1 << 1),
-	LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK	= (1 << 2)
+	LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK	= (1 << 2),
+	LCCSCF_ALLOW_EXPIRED			= (1 << 3)
 };
 
 /** struct lws_client_connect_info - parameters to connect with when using
diff --git a/lib/ssl-client.c b/lib/ssl-client.c
index dff7fe20..679a7386 100644
--- a/lib/ssl-client.c
+++ b/lib/ssl-client.c
@@ -296,6 +296,10 @@ lws_ssl_client_connect2(struct lws *wsi)
 		     n == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) &&
 		     wsi->use_ssl & LCCSCF_ALLOW_SELFSIGNED) {
 			lwsl_notice("accepting self-signed certificate\n");
+		} else if ((n == X509_V_ERR_CERT_NOT_YET_VALID ||
+		            n == X509_V_ERR_CERT_HAS_EXPIRED) &&
+		     wsi->use_ssl & LCCSCF_ALLOW_EXPIRED) {
+			lwsl_notice("accepting expired certificate\n");
 		} else {
 			lwsl_err("server's cert didn't look good, X509_V_ERR = %d: %s\n",
 				 n, ERR_error_string(n, sb));