diff --git a/src/verify.c b/src/verify.c
index 3519144..066c4ff 100644
--- a/src/verify.c
+++ b/src/verify.c
@@ -233,22 +233,32 @@ NOEXPORT int cert_check(X509_STORE_CTX *callback_ctx, int preverify_ok) {
         }
     }
     if(c->opt->verify_level>=3 && depth==0) {
+        int i = -1;
         if(X509_STORE_get_by_subject(callback_ctx, X509_LU_X509,
-                X509_get_subject_name(cert), &obj)!=1) {
+                X509_get_subject_name(cert), &obj)==1) {
+            i = X509_OBJECT_idx_by_subject(callback_ctx->ctx->objs,
+                X509_LU_X509, X509_get_subject_name(cert));
+        }
+        if(i == -1) {
             s_log(LOG_WARNING,
                 "CERT: Certificate not found in local repository");
             return 0; /* fail */
         }
+        for (;i<sk_X509_OBJECT_num(callback_ctx->ctx->objs);i++) {
+            X509_OBJECT *pobj = sk_X509_OBJECT_value(callback_ctx->ctx->objs,i);
 #if OPENSSL_VERSION_NUMBER>=0x0090700fL
         peer_key=X509_get0_pubkey_bitstr(cert);
-        local_key=X509_get0_pubkey_bitstr(obj.data.x509);
+        local_key=X509_get0_pubkey_bitstr(pobj->data.x509);
         if(!peer_key || !local_key || peer_key->length!=local_key->length ||
                 memcmp(peer_key->data, local_key->data, local_key->length)) {
-            s_log(LOG_WARNING, "CERT: Public keys do not match");
-            return 0; /* fail */
+            continue;
         }
-#endif
         s_log(LOG_INFO, "CERT: Locally installed certificate matched");
+        return 1; /* accept connection */
+#endif
+        }
+        s_log(LOG_WARNING, "CERT: Public keys do not match");
+        return 0; /* reject connection */
     }
     return 1; /* success */
 }