diff --git a/Examples/Stunnel.hs b/Examples/Stunnel.hs
--- a/Examples/Stunnel.hs
+++ b/Examples/Stunnel.hs
@@ -46,7 +46,7 @@
 
 	handshake dsthandle
 
-	forkIO $ forever $ do
+	_ <- forkIO $ forever $ do
 		dat <- recvData dsthandle
 		putStrLn ("received " ++ show dat)
 		L.hPut srchandle dat
@@ -126,7 +126,8 @@
 		{ destinationType :: String
 		, destination     :: String
 		, sourceType      :: String
-		, source          :: String }
+		, source          :: String
+		, validCert       :: Bool }
 	| Server
 		{ destinationType :: String
 		, destination     :: String
@@ -141,6 +142,7 @@
 	, destination     = "localhost:6061"  &= help "destination address influenced by destination type" &= typ "ADDRESS"
 	, sourceType      = "tcp"             &= help "type of source (tcp, unix, fd)" &= typ "SOURCETYPE"
 	, source          = "localhost:6060"  &= help "source address influenced by source type" &= typ "ADDRESS"
+	, validCert       = False             &= help "check if the certificate receive is valid" &= typ "Bool"
 	}
 	&= help "connect to a remote destination that use SSL/TLS"
 
@@ -208,11 +210,13 @@
 	srcaddr <- getAddressDescription (sourceType pargs) (source pargs)
 	dstaddr <- getAddressDescription (destinationType pargs) (destination pargs)
 
+	let crecv = if validCert pargs then certificateVerifyChain else (\_ -> return True)
 	let clientstate = defaultParams
 		{ pConnectVersion = TLS10
 		, pAllowedVersions = [ TLS10, TLS11 ]
 		, pCiphers = ciphers
 		, pCertificates = []
+		, onCertificatesRecv = crecv
 		}
 
 	case srcaddr of
@@ -258,5 +262,5 @@
 main = do
 	x <- cmdArgsRun mode
 	case x of
-		Client _ _ _ _     -> doClient x
+		Client _ _ _ _ _   -> doClient x
 		Server _ _ _ _ _ _ -> doServer x
diff --git a/Network/TLS/Extra/Certificate.hs b/Network/TLS/Extra/Certificate.hs
--- a/Network/TLS/Extra/Certificate.hs
+++ b/Network/TLS/Extra/Certificate.hs
@@ -8,7 +8,7 @@
 --
 module Network.TLS.Extra.Certificate
 	( certificateVerifyChain
-	, certificateVerify
+	, certificateVerifyAgainst
 	) where
 
 import qualified Data.ByteString as B
@@ -42,6 +42,16 @@
 --
 -- each certificate of the list is verified against the next certificate, until
 -- it can be verified against a system certificate (system certificates are assumed as trusted)
+--
+-- This helper only check that the chain of certificate is valid, which means that each items
+-- received are signed by the next one, or by a system certificate. Some extra checks need to
+-- be done at the user level so that the certificate chain received make sense in the context.
+--
+-- for example for HTTP, the user should typically verify the certificate subject match the URL
+-- of connection.
+--
+-- TODO: verify validity, check revocation list if any, add optional user output to know
+-- the rejection reason.
 certificateVerifyChain :: [X509] -> IO Bool
 certificateVerifyChain l
 	| l == []   = return False
@@ -49,9 +59,9 @@
 		-- find a matching certificate that we trust (== installed on the system)
 		found <- SysCert.findCertificate (matchsysX509 $ head l)
 		case found of
-			Just sysx509 -> certificateVerify (head l) sysx509
+			Just sysx509 -> certificateVerifyAgainst (head l) sysx509
 			Nothing      -> do
-				validChain <- certificateVerify (head l) (head $ tail l)
+				validChain <- certificateVerifyAgainst (head l) (head $ tail l)
 				if validChain
 					then certificateVerifyChain $ tail l
 					else return False
@@ -64,8 +74,8 @@
 
 -- | verify a certificate against another one.
 -- the first certificate need to be signed by the second one for this function to succeed.
-certificateVerify :: X509 -> X509 -> IO Bool
-certificateVerify ux509@(X509 _ _ sigalg sig) (X509 scert _ _ _) = do
+certificateVerifyAgainst :: X509 -> X509 -> IO Bool
+certificateVerifyAgainst ux509@(X509 _ _ sigalg sig) (X509 scert _ _ _) = do
 	let f = verifyF sigalg pk
 	case f udata esig of
 		Right True -> return True
@@ -77,14 +87,21 @@
 
 verifyF :: SignatureALG -> PubKey -> B.ByteString -> B.ByteString -> Either String Bool
 
+-- md[245]WithRSAEncryption:
+--
+--   pkcs-1 OBJECT IDENTIFIER ::= { iso(1) member-body(2) US(840) rsadsi(113549) pkcs(1) 1 }
+--   rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 }
+--   md2WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 2 }
+--   md4WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 3 }
+--   md5WithRSAEncryption OBJECT IDENTIFIER ::= { pkcs-1 4 }
 verifyF SignatureALG_md2WithRSAEncryption (PubKeyRSA rsak) = rsaVerify MD2.hash asn1 (mkRSA rsak)
-	where asn1 = "\x30\x20\x30\x0c\x06\x08\x2a\x86\x48\x86\xf7\x0d\x02\x05\x05\x00\x04\x10"
+	where asn1 = "\x30\x20\x30\x0c\x06\x08\x2a\x86\x48\x86\xf7\x0d\x02\x05\x05\x00\x02\x10"
 
 verifyF SignatureALG_md5WithRSAEncryption (PubKeyRSA rsak) = rsaVerify MD5.hash asn1 (mkRSA rsak)
 	where asn1 = "\x30\x20\x30\x0c\x06\x08\x2a\x86\x48\x86\xf7\x0d\x02\x05\x05\x00\x04\x10"
 
 verifyF SignatureALG_sha1WithRSAEncryption (PubKeyRSA rsak) = rsaVerify SHA1.hash asn1 (mkRSA rsak)
-	where asn1 = "\x30\x20\x30\x0c\x06\x08\x2a\x86\x48\x86\xf7\x0d\x02\x05\x05\x00\x04\x10"
+	where asn1 = "\x30\x21\x30\x09\x06\x05\x2b\x0e\x03\x02\x1a\x05\x00\x04\x14"
 
 verifyF SignatureALG_dsaWithSHA1 (PubKeyDSA (pub,p,q,g)) = dsaSHA1Verify pk
 	where
@@ -96,5 +113,6 @@
 	where asig = (0,0) {- FIXME : need to work out how to get R/S from the bytestring a -}
 
 rsaVerify h hdesc pk a b = either (Left . show) (Right) $ RSA.verify h hdesc pk a b
+
 mkRSA (lenmodulus, modulus, e) =
 	RSA.PublicKey { RSA.public_sz = lenmodulus, RSA.public_n = modulus, RSA.public_e = e }
diff --git a/tls-extra.cabal b/tls-extra.cabal
--- a/tls-extra.cabal
+++ b/tls-extra.cabal
@@ -1,5 +1,5 @@
 Name:                tls-extra
-Version:             0.1.4
+Version:             0.1.5
 Description:
    a set of extra definitions, default values and helpers for tls.
 License:             BSD3
