diff -r 5596ef69d425 surf.c
--- a/surf.c	Thu Jul 12 12:41:56 2012 +0200
+++ b/surf.c	Mon Jul 16 10:58:04 2012 +0100
@@ -387,6 +387,8 @@
 	WebKitWebDataSource *src;
 	WebKitNetworkRequest *request;
 	SoupMessage *msg;
+	GTlsCertificate *cert;
+	GTlsCertificateFlags certerrs;
 	char *uri;
 
 	switch(webkit_web_view_get_load_status (c->view)) {
@@ -399,6 +401,27 @@
 			msg = webkit_network_request_get_message(request);
 			c->sslfailed = soup_message_get_flags(msg)
 			               ^ SOUP_MESSAGE_CERTIFICATE_TRUSTED;
+			if(c->sslfailed) {
+				fprintf(stderr, "Certificate failure for %s: ", uri);
+				/* needs libsoup 2.34+ */
+				if(soup_message_get_https_flags(msg, &cert, &certerrs)) {
+					if(certerrs & G_TLS_CERTIFICATE_UNKNOWN_CA)
+						fprintf(stderr, ":unknown ca: "); 
+					if(certerrs & G_TLS_CERTIFICATE_BAD_IDENITY)
+						fprintf(stderr, ":wrong identity: "); 
+					if(certerrs & G_TLS_CERTIFICATE_NOT_ACTIVATED)
+						fprintf(stderr, ":active date in future: "); 
+					if(certerrs & G_TLS_CERTIFICATE_EXPIRED)
+						fprintf(stderr, ":expired: "); 
+					if(certerrs & G_TLS_CERTIFICATE_REVOKED)
+						fprintf(stderr, ":revoked: "); 
+					if(certerrs & G_TLS_CERTIFICATE_INSECURE)
+						fprintf(stderr, ":insecure algorithm: "); 
+					if(certerrs & G_TLS_GENERIC_ERROR)
+						fprintf(stderr, ":unknown error: "); 
+					fputc('\n', stderr);
+				}
+			}
 		}
 		setatom(c, AtomUri, uri);
 		break;