Index: src/tls/OFGnuTLSTLSStream.m
==================================================================
--- src/tls/OFGnuTLSTLSStream.m
+++ src/tls/OFGnuTLSTLSStream.m
@@ -36,10 +36,25 @@
 
 #ifndef GNUTLS_SAFE_PADDING_CHECK
 /* Some older versions don't have it. */
 # define GNUTLS_SAFE_PADDING_CHECK 0
 #endif
+
+static OFTLSStreamErrorCode
+certificateStatusToErrorCode(gnutls_certificate_status_t status)
+{
+	if (status & GNUTLS_CERT_UNEXPECTED_OWNER)
+		return OFTLSStreamErrorCodeCertificateNameMismatch;
+	if (status & GNUTLS_CERT_REVOKED)
+		return OFTLSStreamErrorCodeCertificateRevoked;
+	if (status & (GNUTLS_CERT_EXPIRED | GNUTLS_CERT_NOT_ACTIVATED))
+		return OFTLSStreamErrorCodeCertificatedExpired;
+	if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
+		return OFTLSStreamErrorCodeCertificateIssuerUntrusted;
+
+	return OFTLSStreamErrorCodeCertificateVerificationFailed;
+}
 
 @implementation OFGnuTLSTLSStream
 static ssize_t
 readFunc(gnutls_transport_ptr_t transport, void *buffer, size_t length)
 {
@@ -78,25 +93,10 @@
 	}
 
 	return length;
 }
 
-static OFTLSStreamErrorCode
-certificateStatusToErrorCode(gnutls_certificate_status_t status)
-{
-	if (status & GNUTLS_CERT_UNEXPECTED_OWNER)
-		return OFTLSStreamErrorCodeCertificateNameMismatch;
-	if (status & GNUTLS_CERT_REVOKED)
-		return OFTLSStreamErrorCodeCertificateRevoked;
-	if (status & (GNUTLS_CERT_EXPIRED | GNUTLS_CERT_NOT_ACTIVATED))
-		return OFTLSStreamErrorCodeCertificatedExpired;
-	if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
-		return OFTLSStreamErrorCodeCertificateIssuerUntrusted;
-
-	return OFTLSStreamErrorCodeCertificateVerificationFailed;
-}
-
 + (void)load
 {
 	if (OFTLSStreamImplementation == Nil)
 		OFTLSStreamImplementation = self;
 }

Index: src/tls/OFSecureTransportTLSStream.m
==================================================================
--- src/tls/OFSecureTransportTLSStream.m
+++ src/tls/OFSecureTransportTLSStream.m
@@ -28,10 +28,21 @@
 #import "OFReadFailedException.h"
 #import "OFTLSHandshakeFailedException.h"
 #import "OFWriteFailedException.h"
 
 int _ObjFWTLS_reference;
+
+static OFTLSStreamErrorCode
+statusToErrorCode(OSStatus status)
+{
+	switch (status) {
+	case errSSLXCertChainInvalid:
+		return OFTLSStreamErrorCodeCertificateVerificationFailed;
+	}
+
+	return OFTLSStreamErrorCodeUnknown;
+}
 
 static OSStatus
 readFunc(SSLConnectionRef connection, void *data, size_t *dataLength)
 {
 	bool incomplete;
@@ -243,11 +254,11 @@
 	if (status != noErr)
 		/* FIXME: Map to better errors */
 		exception = [OFTLSHandshakeFailedException
 		    exceptionWithStream: self
 				   host: _host
-			      errorCode: OFTLSStreamErrorCodeUnknown];
+			      errorCode: statusToErrorCode(status)];
 
 	if ([_delegate respondsToSelector:
 	    @selector(stream:didPerformClientHandshakeWithHost:exception:)])
 		[_delegate		       stream: self
 		    didPerformClientHandshakeWithHost: _host
@@ -269,11 +280,11 @@
 
 		if (status != noErr)
 			exception = [OFTLSHandshakeFailedException
 			    exceptionWithStream: self
 					   host: _host
-				      errorCode: OFTLSStreamErrorCodeUnknown];
+				      errorCode: statusToErrorCode(status)];
 	}
 
 	if ([_delegate respondsToSelector:
 	    @selector(stream:didPerformClientHandshakeWithHost:exception:)])
 		[_delegate		       stream: self