Index: lib/nss.c
===================================================================
RCS file: /cvsroot/curl/curl/lib/nss.c,v
retrieving revision 1.51
diff -u -r1.51 nss.c
--- lib/nss.c	20 Jul 2009 21:50:21 -0000	1.51
+++ lib/nss.c	13 Aug 2009 09:48:02 -0000
@@ -615,10 +615,14 @@
           issuer);
     break;
   case SSL_ERROR_BAD_CERT_DOMAIN:
-    if(conn->data->set.ssl.verifypeer)
+    if(conn->data->set.ssl.verifypeer && conn->data->set.ssl.verifyhost) {
+      failf(conn->data, "common name '%s' does not match '%s'",
+            subject, conn->host.dispname);
       success = SECFailure;
-    infof(conn->data, "common name: %s (does not match '%s')\n",
-          subject, conn->host.dispname);
+    } else {
+      infof(conn->data, "warning: common name '%s' does not match '%s'\n",
+            subject, conn->host.dispname);
+    }
     break;
   case SEC_ERROR_EXPIRED_CERTIFICATE:
     if(conn->data->set.ssl.verifypeer)
@@ -1200,7 +1204,9 @@
   if(SSL_ForceHandshakeWithTimeout(connssl->handle,
                                     PR_SecondsToInterval(HANDSHAKE_TIMEOUT))
       != SECSuccess) {
-    if(conn->data->set.ssl.certverifyresult!=0)
+    if(conn->data->set.ssl.certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN)
+      curlerr = CURLE_PEER_FAILED_VERIFICATION;
+    else if(conn->data->set.ssl.certverifyresult!=0)
       curlerr = CURLE_SSL_CACERT;
     goto error;
   }