diff --git a/.sai.json b/.sai.json
index 7176381023..6ac84a5383 100644
--- a/.sai.json
+++ b/.sai.json
@@ -243,11 +243,11 @@
 		"mbedtls": {
 			"cmake":	"-DLWS_WITH_MBEDTLS=1 -DLWS_WITH_HTTP2=1 -DLWS_WITH_LWSWS=1 -DLWS_WITH_MINIMAL_EXAMPLES=1 -DLWS_WITH_JOSE=1 -DCMAKE_BUILD_TYPE=DEBUG",
 			# no distro -devel package for mbedtls
-			"platforms":	"not linux-centos-7/x86_64-amd/gcc, not linux-centos-8/x86_64-amd/gcc"
+			"platforms":	"not linux-centos-7/x86_64-amd/gcc, not linux-centos-8/x86_64-amd/gcc, not linux-ubuntu-xenial/x86_64-amd/gcc"
 		},
 		"mbedtls-metrics": {
 			"cmake":	"-DLWS_WITH_MBEDTLS=1 -DLWS_WITH_HTTP2=1 -DLWS_WITH_LWSWS=1 -DLWS_WITH_MINIMAL_EXAMPLES=1 -DLWS_WITH_JOSE=1 -DCMAKE_BUILD_TYPE=DEBUG -DLWS_WITH_SYS_METRICS=1",
-			"platforms":	"not linux-centos-7/x86_64-amd/gcc, not linux-centos-8/x86_64-amd/gcc"
+			"platforms":	"not linux-centos-7/x86_64-amd/gcc, not linux-centos-8/x86_64-amd/gcc, not linux-ubuntu-xenial/x86_64-amd/gcc"
 		},
 		"noserver": {
 			"cmake":	"-DLWS_WITHOUT_SERVER=ON -DLWS_WITH_MINIMAL_EXAMPLES=1 -DLWS_WITH_SECURE_STREAMS=1",
diff --git a/lib/tls/mbedtls/mbedtls-client.c b/lib/tls/mbedtls/mbedtls-client.c
index bc7644ae83..187e860537 100644
--- a/lib/tls/mbedtls/mbedtls-client.c
+++ b/lib/tls/mbedtls/mbedtls-client.c
@@ -272,7 +272,8 @@ lws_tls_client_connect(struct lws *wsi, char *errbuf, size_t elen)
 	if (!n) /* we don't know what he wants, but he says to retry */
 		return LWS_SSL_CAPABLE_MORE_SERVICE;
 
-	if (m == SSL_ERROR_SYSCALL && !en)
+	if (m == SSL_ERROR_SYSCALL && !en && n >= 0) /* otherwise we miss explicit failures and spin
+						      * in hs state 17 until timeout... */
 		return LWS_SSL_CAPABLE_MORE_SERVICE;
 
 	lws_snprintf(errbuf, elen, "mbedtls connect %d %d %d", n, m, en);
diff --git a/lib/tls/mbedtls/wrapper/platform/ssl_pm.c b/lib/tls/mbedtls/wrapper/platform/ssl_pm.c
index cc2608b385..1b6020a90c 100755
--- a/lib/tls/mbedtls/wrapper/platform/ssl_pm.c
+++ b/lib/tls/mbedtls/wrapper/platform/ssl_pm.c
@@ -98,7 +98,6 @@ static void ssl_platform_debug(void *ctx, int level,
 }
 //#endif
 
-#if defined(LWS_HAVE_mbedtls_ssl_set_verify)
 static int
 lws_mbedtls_f_vrfy(void *opaque, mbedtls_x509_crt *x509, int state, uint32_t *pflags)
 {
@@ -109,7 +108,6 @@ lws_mbedtls_f_vrfy(void *opaque, mbedtls_x509_crt *x509, int state, uint32_t *pf
 
 	return 0;
 }
-#endif
 
 /**
  * @brief create SSL low-level object
@@ -151,6 +149,8 @@ int ssl_pm_new(SSL *ssl)
 
 #if defined(LWS_HAVE_mbedtls_ssl_set_verify)
     mbedtls_ssl_set_verify(&ssl_pm->ssl, lws_mbedtls_f_vrfy, ssl_pm);
+#else
+    mbedtls_ssl_conf_verify(&ssl_pm->conf, lws_mbedtls_f_vrfy, ssl_pm);
 #endif
 
     ret = mbedtls_ctr_drbg_seed(&ssl_pm->ctr_drbg, mbedtls_entropy_func, &ssl_pm->entropy, pers, pers_len);
diff --git a/lib/tls/tls-client.c b/lib/tls/tls-client.c
index 9d93a3daea..5b29923f53 100644
--- a/lib/tls/tls-client.c
+++ b/lib/tls/tls-client.c
@@ -66,6 +66,12 @@ lws_ssl_client_connect2(struct lws *wsi, char *errbuf, size_t len)
 		switch (n) {
 		case LWS_SSL_CAPABLE_ERROR:
 			lws_tls_restrict_return_handshake(wsi);
+
+			if (lws_tls_client_confirm_peer_cert(wsi, errbuf, len)) {
+				lws_metrics_caliper_report(wsi->cal_conn, METRES_NOGO);
+				return -1;
+			}
+
 			// lws_snprintf(errbuf, len, "client connect failed");
 			return -1;
 		case LWS_SSL_CAPABLE_DONE: