diff --git a/platform/include/internal/ssl_trusted_cert_storage.h b/platform/include/internal/ssl_trusted_cert_storage.h
index 11daeee..d85d495 100644
--- a/platform/include/internal/ssl_trusted_cert_storage.h
+++ b/platform/include/internal/ssl_trusted_cert_storage.h
@@ -19,6 +19,7 @@ struct cert_verify_param
 	char no_verify_cn;
 	char no_verify_issuer;
 	char no_verify_expiry_date;
+	char real_untrust;
 };
 struct cert_verify_result
 {
diff --git a/platform/src/ssl_trusted_cert_storage.cpp b/platform/src/ssl_trusted_cert_storage.cpp
index 9072ea5..d9ff4fe 100644
--- a/platform/src/ssl_trusted_cert_storage.cpp
+++ b/platform/src/ssl_trusted_cert_storage.cpp
@@ -304,6 +304,7 @@ static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 			{
 				ret=1;
 			}
+			param->real_untrust |= 0x02;
 			break;
 		case	X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
 		case	X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
@@ -311,6 +312,7 @@ static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 			{
 				ret=1;
 			}
+			param->real_untrust |= 0x04;
 			break;
 		case	X509_V_ERR_CERT_NOT_YET_VALID:
 		case	X509_V_ERR_CERT_HAS_EXPIRED:
@@ -318,6 +320,7 @@ static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 			{
 				ret=1;
 			}
+			param->real_untrust |= 0x08;
 			break;
 		case	X509_V_ERR_UNABLE_TO_GET_CRL:
 		case	X509_V_ERR_DIFFERENT_CRL_SCOPE:
@@ -346,10 +349,20 @@ int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storag
 		// The peer certificate chain is not necessarily available after reusing a session, in which case a NULL pointer is returned.
 		return 1;
 	}
+	param->real_untrust = 0;
 	X509 * cert = sk_X509_value(cert_chain, 0);
+
+	int hostmatched;
+	if (hostname)
+	{
+		hostmatched = X509_check_host(cert, hostname, strlen(hostname), 0, NULL);
+		if (hostmatched != 1)
+			param->real_untrust |= 0x01;
+	}
+
 	if(!param->no_verify_cn&&hostname)
 	{
-		result->is_hostmatched=X509_check_host(cert, hostname, strlen(hostname), 0, NULL);
+		result->is_hostmatched=hostmatched;
 	}
 	else
 	{
@@ -402,12 +415,17 @@ int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storag
 		ret=1;
 	}
 
-	// case cert verify success
-	if (!param->no_verify_self_signed &&
-		!param->no_verify_cn &&
-		!param->no_verify_issuer &&
-		!param->no_verify_expiry_date &&
-		ret == 1) {
+	TFE_LOG_DEBUG(g_default_logger,
+		"sni:%s, cet_real_untrust:%d, verify_host_fail:%d, verify_issure_fail:%d, verify_self_signed_fail:%d, verify_expiry_date_fail:%d",
+		(hostname ? hostname : "NULL"),
+		((param->real_untrust & 0x0f) ? 1 : 0),
+		((param->real_untrust & 0x01) ? 1 : 0),
+		((param->real_untrust & 0x02) ? 1 : 0),
+		((param->real_untrust & 0x04) ? 1 : 0),
+		((param->real_untrust & 0x08) ? 1 : 0));
+
+	// case cert verify success 
+	if (param->real_untrust == 0) {
 		ssl_fetch_trusted_cert_from_chain(cert_chain, storage->effective_store, hostname);
 	}