diff --git a/aclocal.m4 b/aclocal.m4
index 748fb2969..7ec45b670 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -1595,11 +1595,11 @@ AC_DEFUN([EGG_TLS_DETECT],
     if test -z "$SSL_LIBS"; then
       AC_CHECK_LIB(crypto, X509_digest, , [havessllib="no"], [-lssl])
       AC_CHECK_LIB(ssl, SSL_accept, , [havessllib="no"], [-lcrypto])
-      AC_CHECK_FUNCS([EVP_sha1 a2i_IPADDRESS], , [[
-        havessllib="no"
-        break
-      ]])
     fi
+    AC_CHECK_FUNCS([EVP_sha1 a2i_IPADDRESS], , [[
+      havessllib="no"
+      break
+    ]])
     AC_CHECK_FUNCS([EVP_md5])
     AC_CHECK_FUNC(OPENSSL_buf2hexstr, ,
       AC_CHECK_FUNC(hex_to_string,
@@ -1622,7 +1622,7 @@ AC_DEFUN([EGG_TLS_DETECT],
       AC_MSG_WARN([Please specify the path to the openssl include dir using --with-sslinc=path])
     fi
     if test "$havessllib" = "no"; then
-      AC_MSG_WARN([Cannot find OpenSSL libraries.])
+      AC_MSG_WARN([Cannot find OpenSSL library 0.9.8 or newer.])
       AC_MSG_WARN([Please specify the path to libssl and libcrypto using --with-ssllib=path])
     fi
     AC_MSG_CHECKING([for OpenSSL])
diff --git a/src/dccutil.c b/src/dccutil.c
index 24cb43cfd..b6e10bb68 100644
--- a/src/dccutil.c
+++ b/src/dccutil.c
@@ -273,6 +273,10 @@ void dcc_chatter(int idx)
   dcc[idx].u.chat->channel = 234567;
   j = dcc[idx].sock;
   strcpy(dcc[idx].u.chat->con_chan, "***");
+#ifdef TLS
+  if (is_owner(dcc[idx].user))
+    verify_cert_expiry(idx);
+#endif
   check_tcl_chon(dcc[idx].nick, dcc[idx].sock);
   /* Still there? */
   if ((idx >= dcc_total) || (dcc[idx].sock != j))
diff --git a/src/main.c b/src/main.c
index 0b321d025..73aa4c891 100644
--- a/src/main.c
+++ b/src/main.c
@@ -641,6 +641,9 @@ static void core_secondly()
             movefile(logs[i].filename, s);
           }
       }
+#ifdef TLS
+      verify_cert_expiry(0);
+#endif
     }
   }
 }
diff --git a/src/proto.h b/src/proto.h
index 0d95ae488..727e5b625 100644
--- a/src/proto.h
+++ b/src/proto.h
@@ -309,6 +309,7 @@ int readtclprog(char *fname);
 
 /* tls.c */
 #ifdef TLS
+void verify_cert_expiry(int);
 int ssl_handshake(int, int, int, int, char *, IntFunc);
 char *ssl_fpconv(char *in, char *out);
 const char *ssl_getuid(int sock);
diff --git a/src/tls.c b/src/tls.c
index d3af0c6ea..7492edc6a 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -109,6 +109,34 @@ static int ssl_seed(void)
   return 0;
 }
 
+void verify_cert_expiry(int idx) {
+  X509 *x509;
+
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L /* 1.0.2 */
+  x509 = SSL_CTX_get0_certificate(ssl_ctx);
+#else
+  BIO *bio = BIO_new_file(tls_certfile, "r");
+  if (!bio)
+    return;
+  x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
+#endif
+  if (x509) {
+    if (X509_cmp_current_time(X509_get_notAfter(x509)) < 0) {
+      if (idx) {
+        dprintf(idx, "WARNING: SSL/TLS certificate %s expired\n", tls_certfile);
+        dprintf(idx, "You can generate new certificates by running 'make sslcert' from the source directory\n\n");
+      } else {
+        putlog(LOG_MISC, "*", "\nWARNING: SSL/TLS certificate %s expired", tls_certfile);
+        putlog(LOG_MISC, "*", "You can generate new certificates by running 'make sslcert' from the source directory\n");
+      }
+    }
+#if OPENSSL_VERSION_NUMBER < 0x10002000L /* 1.0.2 */
+  X509_free(x509);
+  BIO_free(bio);
+#endif
+  }
+}
+
 /* Prepares and initializes SSL stuff
  *
  * Creates a context object, supporting SSLv2/v3 & TLSv1 protocols;
@@ -157,6 +185,7 @@ int ssl_init()
           tls_certfile, ERR_error_string(ERR_get_error(), NULL));
       fatal("Unable to load TLS certificate (ssl-certificate config setting)!", 0);
     }
+    verify_cert_expiry(0);
     if (SSL_CTX_use_PrivateKey_file(ssl_ctx, tls_keyfile, SSL_FILETYPE_PEM) != 1) {
       putlog(LOG_MISC, "*", "ERROR: TLS: unable to load private key from %s: %s",
           tls_keyfile, ERR_error_string(ERR_get_error(), NULL));