diff --git a/NEWS b/NEWS
index 00e3b36..d5a03fb 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,8 @@
+29-10-2007: Certificate validation change. In "basic" mode, expired
+certificates are now accepted as long as they are in store (therefore trusted).
+This makes the basic mode be more SSH like. Some extreme security zealots might
+want to be warned.
+
 02-09-2007: as of now log parameters go in the user {} statment. This brakes
 every config and there is no backwrads compatibility as of now.
 Lots of internal changes, expect crashes.
diff --git a/bip.conf.1 b/bip.conf.1
index ba1346b..cdc8850 100644
--- a/bip.conf.1
+++ b/bip.conf.1
@@ -221,8 +221,11 @@ Tells whether BIP should check the server SSL certificate and against what.
 Can be \fBnone\fP for no check at all, \fBca\fP to check if the cert is signed
 by a Certificate Authority in repository, or \fBbasic\fP to check if cert
 exists in repository. The repository is defined by \fBssl_check_store\fP.  This
-allows a "ssh-like" private key generation scheme. Note that in basic mode,
-valid CA-signed certificates are also considered valid.
+allows a "ssh-like" private key generation scheme. Note that in basic mode:
+.br
+ - expired certificates that are in the store are considered valid.
+.br
+ - CA-signed certificates are considered valid even if not in store.
 
 .TP
 \fBssl_check_store\fP (default: \fBnot set\fP)
diff --git a/src/connection.c b/src/connection.c
index 19aab41..120c3a4 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -1178,14 +1178,20 @@ static int bip_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 			(err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
 			 err == X509_V_ERR_CERT_UNTRUSTED ||
 			 err == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ||
-			 err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)) {
+			 err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT ||
+			 err == X509_V_ERR_CERT_HAS_EXPIRED)) {
 
 		if (X509_STORE_get_by_subject(ctx, X509_LU_X509,
 				X509_get_subject_name(err_cert), &xobj) > 0 &&
 				!X509_cmp(xobj.data.x509, err_cert)) {
 
-			mylog(LOG_INFO, "Basic mode; peer certificate found "
-					"in store, accepting it!");
+			if (err == X509_V_ERR_CERT_HAS_EXPIRED)
+				mylog(LOG_INFO, "Basic mode; Accepting "
+						"*expired* peer certificate "
+						"found in store.");
+			else
+				mylog(LOG_INFO, "Basic mode; Accepting peer "
+					"certificate found in store.");
 
 			result = 1;
 			err = X509_V_OK;