Index: src/tls/OFMbedTLSTLSStream.m
==================================================================
--- src/tls/OFMbedTLSTLSStream.m
+++ src/tls/OFMbedTLSTLSStream.m
@@ -39,10 +39,39 @@
 #include <mbedtls/entropy.h>
 
 int _ObjFWTLS_reference;
 static mbedtls_entropy_context entropy;
 static mbedtls_ctr_drbg_context CTRDRBG;
+
+static OFTLSStreamErrorCode
+verifyResultToErrorCode(const mbedtls_ssl_context *SSL)
+{
+	switch (mbedtls_ssl_get_verify_result(SSL)) {
+	case MBEDTLS_X509_BADCERT_NOT_TRUSTED:
+		return OFTLSStreamErrorCodeCertificateIssuerUntrusted;
+	case MBEDTLS_X509_BADCERT_CN_MISMATCH:
+		return OFTLSStreamErrorCodeCertificateNameMismatch;
+	case MBEDTLS_X509_BADCERT_EXPIRED:
+	case MBEDTLS_X509_BADCERT_FUTURE:
+		return OFTLSStreamErrorCodeCertificatedExpired;
+	case MBEDTLS_X509_BADCERT_REVOKED:
+		return OFTLSStreamErrorCodeCertificateRevoked;
+	}
+
+	return OFTLSStreamErrorCodeCertificateVerificationFailed;
+}
+
+static OFTLSStreamErrorCode
+statusToErrorCode(const mbedtls_ssl_context *SSL, int status)
+{
+	switch (status) {
+	case MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:
+		return verifyResultToErrorCode(SSL);
+	}
+
+	return OFTLSStreamErrorCodeUnknown;
+}
 
 @implementation OFMbedTLSTLSStream
 static int
 readFunc(void *ctx, unsigned char *buffer, size_t length)
 {
@@ -287,15 +316,14 @@
 	}
 
 	if (status == 0)
 		_handshakeDone = true;
 	else
-		/* FIXME: Map to better errors */
 		exception = [OFTLSHandshakeFailedException
 		    exceptionWithStream: self
 				   host: host
-			      errorCode: OFTLSStreamErrorCodeUnknown];
+			      errorCode: statusToErrorCode(&_SSL, status)];
 
 	if ([_delegate respondsToSelector:
 	    @selector(stream:didPerformClientHandshakeWithHost:exception:)])
 		[_delegate		       stream: self
 		    didPerformClientHandshakeWithHost: host
@@ -326,11 +354,12 @@
 			_handshakeDone = true;
 		else
 			exception = [OFTLSHandshakeFailedException
 			    exceptionWithStream: self
 					   host: _host
-				      errorCode: OFTLSStreamErrorCodeUnknown];
+				      errorCode: statusToErrorCode(
+						     &_SSL, status)];
 	}
 
 	if ([_delegate respondsToSelector:
 	    @selector(stream:didPerformClientHandshakeWithHost:exception:)])
 		[_delegate		       stream: self
@@ -365,11 +394,12 @@
 			_handshakeDone = true;
 		else
 			exception = [OFTLSHandshakeFailedException
 			    exceptionWithStream: self
 					   host: _host
-				      errorCode: OFTLSStreamErrorCodeUnknown];
+				      errorCode: statusToErrorCode(
+						     &_SSL, status)];
 	}
 
 	if ([_delegate respondsToSelector:
 	    @selector(stream:didPerformClientHandshakeWithHost:exception:)])
 		[_delegate		       stream: self