--- verify.c	2011-01-24 22:44:03.000000000 +0100
+++ verify.c.patched	2011-04-10 20:17:19.551078252 +0200
@@ -196,6 +196,8 @@
 
 static int cert_check(CLI *c, X509_STORE_CTX *callback_ctx, int preverify_ok) {
     X509_OBJECT ret;
+    unsigned char peermd[EVP_MAX_MD_SIZE], localmd[EVP_MAX_MD_SIZE];
+    unsigned int peermdlen, localmdlen;
 
     if(c->opt->verify_level==SSL_VERIFY_NONE) {
         s_log(LOG_INFO, "CERT: Verification not enabled");
@@ -207,11 +209,25 @@
             X509_verify_cert_error_string(callback_ctx->error));
         return 0; /* reject connection */
     }
-    if(c->opt->verify_use_only_my && callback_ctx->error_depth==0 &&
-            X509_STORE_get_by_subject(callback_ctx, X509_LU_X509,
-                X509_get_subject_name(callback_ctx->current_cert), &ret)!=1) {
-        s_log(LOG_WARNING, "CERT: Certificate not found in local repository");
-        return 0; /* reject connection */
+    if(c->opt->verify_use_only_my && callback_ctx->error_depth==0) {
+        if(X509_STORE_get_by_subject(callback_ctx, X509_LU_X509,
+                    X509_get_subject_name(callback_ctx->current_cert), &ret)!=1) {
+            s_log(LOG_WARNING, "CERT: Certificate not found in local repository");
+            return 0; /* reject connection */
+        }
+        else {
+            if(!X509_digest (callback_ctx->current_cert, EVP_sha1(), peermd, &peermdlen) ||
+                    !X509_digest (ret.data.x509, EVP_sha1(), localmd, &localmdlen)) {
+                s_log(LOG_WARNING, "Failed to compute fingerprints.");
+                return 0;
+            }
+            if(peermdlen != localmdlen ||
+                    memcmp(peermd, localmd, localmdlen) != 0) {
+                s_log(LOG_WARNING, "Fingerprints of certificates don't match.");
+                return 0;
+            }
+
+        }
     }
     return 1; /* accept connection */
 }