@@ -26,12 +26,15 @@
 
 #import <ObjFW/OFHTTPRequest.h>
 #import <ObjFW/OFDataArray.h>
 
 #include <openssl/crypto.h>
+#include <openssl/err.h>
 
 #import "SSLSocket.h"
+#import "SSLInvalidCertificateException.h"
+#import "X509Certificate.h"
 
 #import <ObjFW/OFAcceptFailedException.h>
 #import <ObjFW/OFConnectionFailedException.h>
 #import <ObjFW/OFInitializationFailedException.h>
 #import <ObjFW/OFInvalidArgumentException.h>
@@ -93,10 +96,14 @@
 		    exceptionWithClass: self];
 
 	if ((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2) == 0)
 		@throw [OFInitializationFailedException
 		    exceptionWithClass: self];
+
+	if (SSL_CTX_set_default_verify_paths(ctx) == 0)
+		@throw [OFInitializationFailedException
+		    exceptionWithClass: self];
 }
 
 - initWithSocket: (OFTCPSocket*)socket
 {
 	self = [self init];
@@ -341,6 +348,29 @@
 	[data addNItems: length
 	     fromCArray: buffer];
 
 	return data;
 }
+
+- (X509Certificate*)peerCertificate
+{
+	X509 *certificate = SSL_get_peer_certificate(ssl);
+	if (!certificate)
+		return nil;
+
+	return [[[X509Certificate alloc]
+		initWithStruct: certificate] autorelease];
+}
+
+- (void)verifyPeerCertificate
+{
+	unsigned long ret;
+	if ((SSL_get_peer_certificate(ssl) == NULL)
+	    || ((ret = SSL_get_verify_result(ssl)) != X509_V_OK)) {
+		const char *reason = X509_verify_cert_error_string(ret);
+		@throw [SSLInvalidCertificateException
+			exceptionWithClass: isa
+				    reason: [OFString
+						stringWithUTF8String: reason]];
+	}
+}
 @end