diff --git a/src/stub.c b/src/stub.c
index c40d518e..148c1a2b 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -868,20 +868,19 @@ tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
 	            STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd, err,
 	            X509_verify_cert_error_string(err));
 #endif
+#if defined(DAEMON_DEBUG) && DAEMON_DEBUG
+	if (!preverify_ok && !upstream->tls_fallback_ok)
+			DEBUG_DAEMON("%s %s : Conn failed   : Transport=TLS - *Failure* -  (%d) \"%s\"\n",
+		                  STUB_DEBUG_DAEMON, upstream->addr_str, err,
+			              X509_verify_cert_error_string(err));
+#endif
 
 	/* First deal with the hostname authentication done by OpenSSL. */
 #ifdef X509_V_ERR_HOSTNAME_MISMATCH
 	/*Report if error is hostname mismatch*/
-	if (err == X509_V_ERR_HOSTNAME_MISMATCH) {
-		if (upstream->tls_fallback_ok)
+	if (err == X509_V_ERR_HOSTNAME_MISMATCH && upstream->tls_fallback_ok)
 			DEBUG_STUB("%s %-35s: FD:  %d WARNING: Proceeding even though hostname validation failed!\n",
 		                STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd);
-#if defined(DAEMON_DEBUG) && DAEMON_DEBUG
-		else
-			DEBUG_DAEMON("%s %s : Conn failed   : Transport=TLS - *Failure* - Hostname mismatch\n",
-		                  STUB_DEBUG_DAEMON, upstream->addr_str);
-#endif
-	}
 #else
 	/* if we weren't built against OpenSSL with hostname matching we
 	 * could not have matched the hostname, so this would be an automatic
diff --git a/src/tools/stubby.conf b/src/tools/stubby.conf
index e562e49d..054a9256 100644
--- a/src/tools/stubby.conf
+++ b/src/tools/stubby.conf
@@ -26,14 +26,14 @@
     , tls_auth_name: "dnsovertls.sinodun.com"
     , tls_pubkey_pinset:
       [ { digest: "sha256"
-        , value: 0xA132D34D34C181765337C70B83E3697B9524DDDB05A7118B43C0284033D5A0CC
+        , value: 0xEB694ABBD1EC0D56F288F7A70299DCE2C7E64984C73957C580BDE9C81F9C04BE
       } ] 
     },
     { address_data: 2001:610:1:40ba:145:100:185:16
     , tls_auth_name: "dnsovertls1.sinodun.com"
     , tls_pubkey_pinset:
       [ { digest: "sha256"
-        , value: 0x659B41EB08DCC70EE9D624E6219C76EE31954DA1548B0C8519EAE5228CB24150
+        , value: 0x704D9E7002DE13907EBAB2610EB26554599FDFC7092C0BEA7A438DBE3BE9A940
       } ] 
     },
     { address_data: 2a04:b900:0:100::38