diff --git a/lib/ngx/ssl/proxysslverify.lua b/lib/ngx/ssl/proxysslverify.lua
new file mode 100644
index 000000000..4ba04220d
--- /dev/null
+++ b/lib/ngx/ssl/proxysslverify.lua
@@ -0,0 +1,140 @@
+-- Copyright (C) Yichun Zhang (agentzh)
+
+
+local base = require "resty.core.base"
+base.allows_subsystem('http', 'stream')
+
+
+local ffi = require "ffi"
+local C = ffi.C
+local ffi_gc = ffi.gc
+local ffi_str = ffi.string
+local get_request = base.get_request
+local error = error
+local errmsg = base.get_errmsg_ptr()
+
+local FFI_OK = base.FFI_OK
+local FFI_ERROR = base.FFI_ERROR
+local subsystem = ngx.config.subsystem
+local ngx_phase = ngx.get_phase
+
+local ngx_lua_ffi_ssl_set_verify_result
+local ngx_lua_ffi_ssl_get_verify_result
+local ngx_lua_ffi_ssl_get_verify_cert
+local ngx_lua_ffi_ssl_free_verify_cert
+
+
+if subsystem == 'http' then
+    ffi.cdef[[
+    int ngx_http_lua_ffi_ssl_set_verify_result(ngx_http_request_t *r,
+        int verify_result, char **err);
+
+    int ngx_http_lua_ffi_ssl_get_verify_result(ngx_http_request_t *r,
+        char **err);
+
+    void *ngx_http_lua_ffi_ssl_get_verify_cert(ngx_http_request_t *r,
+        char **err);
+
+    void ngx_http_lua_ffi_ssl_free_verify_cert(void *cdata);
+    ]]
+
+    ngx_lua_ffi_ssl_set_verify_result =
+        C.ngx_http_lua_ffi_ssl_set_verify_result
+    ngx_lua_ffi_ssl_get_verify_result =
+        C.ngx_http_lua_ffi_ssl_get_verify_result
+    ngx_lua_ffi_ssl_get_verify_cert =
+        C.ngx_http_lua_ffi_ssl_get_verify_cert
+    ngx_lua_ffi_ssl_free_verify_cert =
+        C.ngx_http_lua_ffi_ssl_free_verify_cert
+
+
+
+elseif subsystem == 'stream' then
+    ffi.cdef[[
+    int ngx_stream_lua_ffi_ssl_set_verify_result(ngx_stream_lua_request_t *r,
+        int verify_result, char **err);
+
+    int ngx_stream_lua_ffi_ssl_get_verify_result(ngx_stream_lua_request_t *r,
+        char **err);
+
+    void *ngx_stream_lua_ffi_ssl_get_verify_cert(ngx_stream_lua_request_t *r,
+        char **err);
+
+    void ngx_stream_lua_ffi_ssl_free_verify_cert(void *cdata);
+    ]]
+
+    ngx_lua_ffi_ssl_set_verify_result =
+        C.ngx_stream_lua_ffi_ssl_set_verify_result
+    ngx_lua_ffi_ssl_get_verify_result =
+        C.ngx_stream_lua_ffi_ssl_get_verify_result
+    ngx_lua_ffi_ssl_get_verify_cert =
+        C.ngx_stream_lua_ffi_ssl_get_verify_cert
+    ngx_lua_ffi_ssl_free_verify_cert =
+        C.ngx_stream_lua_ffi_ssl_free_verify_cert
+end
+
+
+local _M = { version = base.version }
+
+
+-- return ok, err
+function _M.set_verify_result(verify_result)
+    local r = get_request()
+    if not r then
+        error("no request found")
+    end
+
+    if ngx_phase() ~= "proxy_ssl_verify" then
+        error("API disabled in the current context")
+    end
+
+    local rc = ngx_lua_ffi_ssl_set_verify_result(r, verify_result, errmsg)
+    if rc == FFI_OK then
+        return true
+    end
+
+    return nil, ffi_str(errmsg[0])
+end
+
+
+-- return verify_result, err
+function _M.get_verify_result()
+    local r = get_request()
+    if not r then
+        error("no request found")
+    end
+
+    if ngx_phase() ~= "proxy_ssl_verify" then
+        error("API disabled in the current context")
+    end
+
+    local rc = ngx_lua_ffi_ssl_get_verify_result(r, errmsg)
+    if rc == FFI_ERROR then
+        return nil, ffi_str(errmsg[0])
+    end
+
+    return rc
+end
+
+
+-- return cert, err
+function _M.get_verify_cert()
+    local r = get_request()
+    if not r then
+        error("no request found")
+    end
+
+    if ngx_phase() ~= "proxy_ssl_verify" then
+        error("API disabled in the current context")
+    end
+
+    local cert = ngx_lua_ffi_ssl_get_verify_cert(r, errmsg)
+    if cert ~= nil then
+        return ffi_gc(cert, ngx_lua_ffi_ssl_free_verify_cert)
+    end
+
+    return nil, ffi_str(errmsg[0])
+end
+
+
+return _M
diff --git a/lib/ngx/ssl/proxysslverify.md b/lib/ngx/ssl/proxysslverify.md
new file mode 100644
index 000000000..ecf9bce4c
--- /dev/null
+++ b/lib/ngx/ssl/proxysslverify.md
@@ -0,0 +1,188 @@
+Name
+====
+
+ngx.ssl.proxysslverify - Lua API for post-processing SSL server certificate message for NGINX upstream SSL connections.
+
+Table of Contents
+=================
+
+* [Name](#name)
+* [Status](#status)
+* [Synopsis](#synopsis)
+* [Description](#description)
+* [Methods](#methods)
+    * [set_verify_result](#set_verify_result)
+    * [get_verify_result](#get_verify_result)
+    * [get_verify_cert](#get_verify_cert)
+* [Community](#community)
+    * [English Mailing List](#english-mailing-list)
+    * [Chinese Mailing List](#chinese-mailing-list)
+* [Bugs and Patches](#bugs-and-patches)
+* [Author](#author)
+* [Copyright and License](#copyright-and-license)
+* [See Also](#see-also)
+
+Status
+======
+
+This Lua module is production ready.
+
+Synopsis
+========
+
+```nginx
+# nginx.conf
+
+server {
+    listen 443 ssl;
+    server_name   test.com;
+    ssl_certificate /path/to/cert.crt;
+    ssl_certificate_key /path/to/key.key;
+
+    location /t {
+        proxy_ssl_certificate /path/to/cert.crt;
+        proxy_ssl_certificate_key /path/to/key.key;
+        proxy_pass https://upstream;
+
+        proxy_ssl_verify_by_lua_block {
+            local proxy_ssl_vfy = require "ngx.ssl.proxysslverify"
+
+            local cert, err = proxy_ssl_vfy.get_verify_cert()
+
+            -- ocsp to verify cert
+            -- check crl
+
+            proxy_ssl_vfy.set_verify_result(0)
+        }
+    }
+    ...
+ }
+```
+
+Description
+===========
+
+This Lua module provides API functions for post-processing SSL server certificate message for NGINX upstream connections.
+
+It must to be used in the contexts [proxy_ssl_verify_by_lua*](https://github.com/openresty/lua-nginx-module/#proxy_ssl_verify_by_lua_block).
+
+This directive runs user Lua code when Nginx is about to post-process the SSL server certificate message for the upstream SSL (https) connections.
+
+It is particularly useful to parse upstream server certificate and do some custom operations in pure lua.
+
+To load the `ngx.ssl.proxysslverify` module in Lua, just write
+
+```lua
+local proxy_ssl_vfy = require "ngx.ssl.proxysslverify"
+```
+
+[Back to TOC](#table-of-contents)
+
+Methods
+=======
+
+set_verify_result
+-----------------
+**syntax:** *ok, err = proxy_ssl_vfy.set_verify_result(0)*
+
+**context:** *proxy_ssl_verify_by_lua&#42;*
+
+According to openssl's doc of SSL_CTX_set_cert_verify_callback: In any case a viable verification result value must be reflected in the error member of x509_store_ctx, which can be done using X509_STORE_CTX_set_error. So after using Lua code to verify server certificate, we need to call this function to setup verify result. Please refers to openssl's `include/openssl/x509_vfy.h` to see which verify result code can be used.
+
+In case of errors, it returns `nil` and a string describing the error.
+
+This function can only be called in the context of [proxy_ssl_verify_by_lua*](https://github.com/openresty/lua-nginx-module/#proxy_ssl_verify_by_lua_block).
+
+[Back to TOC](#table-of-contents)
+
+get_verify_result
+-----------------
+**syntax:** *verify_result, err = proxy_ssl_vfy.get_verify_result()*
+
+**context:** *proxy_ssl_verify_by_lua&#42;*
+
+Returns the verify result code.
+
+In case of errors, it returns `nil` and a string describing the error.
+
+This function can only be called in the context of [proxy_ssl_verify_by_lua*](https://github.com/openresty/lua-nginx-module/#proxy_ssl_verify_by_lua_block).
+
+[Back to TOC](#table-of-contents)
+
+get_verify_cert
+---------------
+**syntax:** *cert, err = proxy_ssl_vfy.get_verify_cert()*
+
+**context:** *proxy_ssl_verify_by_lua&#42;*
+
+Returns the server certificate Nginx received from upstream SSL connection.
+
+In case of errors, it returns `nil` and a string describing the error.
+
+This function can only be called in the context of [proxy_ssl_verify_by_lua*](https://github.com/openresty/lua-nginx-module/#proxy_ssl_verify_by_lua_block).
+
+[Back to TOC](#table-of-contents)
+
+Community
+=========
+
+[Back to TOC](#table-of-contents)
+
+English Mailing List
+--------------------
+
+The [openresty-en](https://groups.google.com/group/openresty-en) mailing list is for English speakers.
+
+[Back to TOC](#table-of-contents)
+
+Chinese Mailing List
+--------------------
+
+The [openresty](https://groups.google.com/group/openresty) mailing list is for Chinese speakers.
+
+[Back to TOC](#table-of-contents)
+
+Bugs and Patches
+================
+
+Please report bugs or submit patches by
+
+1. creating a ticket on the [GitHub Issue Tracker](https://github.com/openresty/lua-resty-core/issues),
+1. or posting to the [OpenResty community](#community).
+
+[Back to TOC](#table-of-contents)
+
+Author
+======
+
+Fuhong Ma &lt;willmafh@hotmail.com&gt; (willmafh)
+
+[Back to TOC](#table-of-contents)
+
+Copyright and License
+=====================
+
+This module is licensed under the BSD license.
+
+Copyright (C) 2016-2017, by Yichun "agentzh" Zhang, OpenResty Inc.
+
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+[Back to TOC](#table-of-contents)
+
+See AlsoCopyright
+========
+* the ngx_lua module: https://github.com/openresty/lua-nginx-module
+* the [proxy_ssl_verify_by_lua*](https://github.com/openresty/lua-nginx-module/#proxy_ssl_verify_by_lua_block) directive.
+* the [lua-resty-core](https://github.com/openresty/lua-resty-core) library.
+* OpenResty: https://openresty.org
+
+[Back to TOC](#table-of-contents)
diff --git a/lib/resty/core/phase.lua b/lib/resty/core/phase.lua
index 8bd2ce827..eaf04d768 100644
--- a/lib/resty/core/phase.lua
+++ b/lib/resty/core/phase.lua
@@ -15,22 +15,23 @@ int ngx_http_lua_ffi_get_phase(ngx_http_request_t *r, char **err)
 
 local errmsg = base.get_errmsg_ptr()
 local context_names = {
-    [0x0001] = "set",
-    [0x0002] = "rewrite",
-    [0x0004] = "access",
-    [0x0008] = "content",
-    [0x0010] = "log",
-    [0x0020] = "header_filter",
-    [0x0040] = "body_filter",
-    [0x0080] = "timer",
-    [0x0100] = "init_worker",
-    [0x0200] = "balancer",
-    [0x0400] = "ssl_cert",
-    [0x0800] = "ssl_session_store",
-    [0x1000] = "ssl_session_fetch",
-    [0x2000] = "exit_worker",
-    [0x4000] = "ssl_client_hello",
-    [0x8000] = "server_rewrite",
+    [0x00000001] = "set",
+    [0x00000002] = "rewrite",
+    [0x00000004] = "access",
+    [0x00000008] = "content",
+    [0x00000010] = "log",
+    [0x00000020] = "header_filter",
+    [0x00000040] = "body_filter",
+    [0x00000080] = "timer",
+    [0x00000100] = "init_worker",
+    [0x00000200] = "balancer",
+    [0x00000400] = "ssl_cert",
+    [0x00000800] = "ssl_session_store",
+    [0x00001000] = "ssl_session_fetch",
+    [0x00002000] = "exit_worker",
+    [0x00004000] = "ssl_client_hello",
+    [0x00008000] = "server_rewrite",
+    [0x00010000] = "proxy_ssl_verify",
 }
 
 
diff --git a/t/proxy-ssl-verify.t b/t/proxy-ssl-verify.t
new file mode 100644
index 000000000..3c49646ef
--- /dev/null
+++ b/t/proxy-ssl-verify.t
@@ -0,0 +1,140 @@
+# vim:set ft= ts=4 sw=4 et fdm=marker:
+use lib '.';
+use t::TestCore;
+
+#worker_connections(10140);
+#workers(1);
+#log_level('warn');
+
+repeat_each(2);
+
+# All these tests need to have new openssl
+my $NginxBinary = $ENV{'TEST_NGINX_BINARY'} || 'nginx';
+my $openssl_version = eval { `$NginxBinary -V 2>&1` };
+
+if ($openssl_version =~ m/built with OpenSSL (0\S*|1\.0\S*|1\.1\.0\S*)/) {
+    plan(skip_all => "too old OpenSSL, need 1.1.1, was $1");
+} else {
+    plan tests => repeat_each() * (blocks() * 6 - 2) - 4;
+}
+
+no_long_string();
+#no_diff();
+
+env_to_nginx("PATH=" . $ENV{'PATH'});
+$ENV{TEST_NGINX_LUA_PACKAGE_PATH} = "$t::TestCore::lua_package_path";
+$ENV{TEST_NGINX_HTML_DIR} ||= html_dir();
+
+run_tests();
+
+__DATA__
+
+=== TEST 1: ssl.proxysslverify.set_verify_result & ssl.proxysslverify.get_verify_result
+--- http_config
+    lua_package_path "$TEST_NGINX_LUA_PACKAGE_PATH";
+
+    server {
+        listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
+
+        ssl_certificate ../../cert/mtls_server.crt;
+        ssl_certificate_key ../../cert/mtls_server.key;
+
+        location / {
+            default_type 'text/plain';
+
+            content_by_lua_block {
+                ngx.say("hello world")
+            }
+
+            more_clear_headers Date;
+        }
+    }
+--- config
+    location /t {
+        proxy_pass                    https://unix:$TEST_NGINX_HTML_DIR/nginx.sock;
+        proxy_ssl_verify              on;
+        proxy_ssl_name                example.com;
+        proxy_ssl_certificate         ../../cert/mtls_client.crt;
+        proxy_ssl_certificate_key     ../../cert/mtls_client.key;
+        proxy_ssl_trusted_certificate ../../cert/mtls_ca.crt;
+        proxy_ssl_session_reuse       off;
+        proxy_ssl_conf_command        VerifyMode Peer;
+
+        proxy_ssl_verify_by_lua_block {
+            local proxy_ssl_vfy = require "ngx.ssl.proxysslverify"
+
+            local ok, err = proxy_ssl_vfy.set_verify_result(23)
+            if not ok then
+                ngx.log(ngx.ERR, "proxy ssl verify set_verify_result failed: ", err)
+                ngx.exit(ngx.ERROR)
+            end
+
+            local result, err = proxy_ssl_vfy.get_verify_result()
+            if not result then
+                ngx.log(ngx.ERR, "proxy ssl verify get_verify_result failed: ", err)
+            end
+
+            ngx.log(ngx.INFO, "proxy ssl verify result: ", result)
+        }
+    }
+--- request
+GET /t
+--- error_code: 502
+--- response_body_like: 502 Bad Gateway
+--- error_log
+proxy ssl verify result: 23
+--- no_error_log
+[alert]
+
+
+
+=== TEST 2: ssl.proxysslverify.get_verify_cert
+--- http_config
+    lua_package_path "$TEST_NGINX_LUA_PACKAGE_PATH";
+
+    server {
+        listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
+
+        ssl_certificate ../../cert/mtls_server.crt;
+        ssl_certificate_key ../../cert/mtls_server.key;
+
+        location / {
+            default_type 'text/plain';
+
+            content_by_lua_block {
+                ngx.say("hello world")
+            }
+
+            more_clear_headers Date;
+        }
+    }
+--- config
+    location /t {
+        proxy_pass                    https://unix:$TEST_NGINX_HTML_DIR/nginx.sock;
+        proxy_ssl_verify              on;
+        proxy_ssl_name                example.com;
+        proxy_ssl_certificate         ../../cert/mtls_client.crt;
+        proxy_ssl_certificate_key     ../../cert/mtls_client.key;
+        proxy_ssl_trusted_certificate ../../cert/mtls_ca.crt;
+        proxy_ssl_session_reuse       off;
+        proxy_ssl_conf_command        VerifyMode Peer;
+
+        proxy_ssl_verify_by_lua_block {
+            local proxy_ssl_vfy = require "ngx.ssl.proxysslverify"
+
+            local cert, err = proxy_ssl_vfy.get_verify_cert()
+            if not cert then
+                ngx.log(ngx.ERR, "proxy ssl verify get_verify_cert failed: ", err)
+            end
+
+            -- more functions to take care of the returned cert
+        }
+    }
+--- request
+GET /t
+--- error_code: 200
+--- response_body
+hello world
+--- no_error_log
+proxy ssl verify get_verify_cert failed
+[alert]