diff --git a/CHANGES b/CHANGES
index 9e925d38ed..4c6bb5455b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -24,8 +24,9 @@ Changes with Apache 2.3.9
      interfering with authentication/authorization. [Paul Querna,
      Igor Galić, Stefan Fritsch]
 
-  *) mod_ssl: Log certificate information if client cert verification
-     fails. PR 50094. [Lassi Tuura <lat cern ch>, Stefan Fritsch]
+  *) mod_ssl: Log certificate information and improve error message if client
+     cert verification fails. PR 50093, PR 50094. [Lassi Tuura <lat cern ch>,
+     Stefan Fritsch]
 
   *) htcacheclean: Teach htcacheclean to limit cache size by number of
      inodes in addition to size of files. Prevents a cache disk from
diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c
index 5e14ff5da0..62127fff2d 100644
--- a/modules/ssl/ssl_engine_vars.c
+++ b/modules/ssl/ssl_engine_vars.c
@@ -623,7 +623,8 @@ static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, conn_rec *c)
         result = "GENEROUS";
     else
         /* client verification failed */
-        result = apr_psprintf(p, "FAILED:%s", verr);
+        result = apr_psprintf(p, "FAILED:%s",
+                              verr ? verr : X509_verify_cert_error_string(vrc));
 
     if (xs)
         X509_free(xs);