diff --git a/lib/tls/mbedtls/wrapper/platform/ssl_pm.c b/lib/tls/mbedtls/wrapper/platform/ssl_pm.c
index cb3821a5a7..789ec95a45 100755
--- a/lib/tls/mbedtls/wrapper/platform/ssl_pm.c
+++ b/lib/tls/mbedtls/wrapper/platform/ssl_pm.c
@@ -1061,14 +1061,16 @@ void SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx)
 
 #if defined(LWS_HAVE_mbedtls_ssl_set_hs_authmode)
 
-	if ((ctx->verify_mode & SSL_VERIFY_PEER) > 0)
+	if ((ctx->verify_mode & SSL_VERIFY_POST_HANDSHAKE) > 0)
+		mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
+	else if ((ctx->verify_mode & SSL_VERIFY_PEER) > 0)
 		mode = MBEDTLS_SSL_VERIFY_REQUIRED;
 	else if ((ctx->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) > 0)
 		mode = MBEDTLS_SSL_VERIFY_REQUIRED;
 	else if (ctx->verify_mode == SSL_VERIFY_CLIENT_ONCE)
 		mode = MBEDTLS_SSL_VERIFY_UNSET;
 	else
-	        mode = MBEDTLS_SSL_VERIFY_NONE;
+		mode = MBEDTLS_SSL_VERIFY_NONE;
 #endif
 
 	/* apply new ctx cert to ssl */