diff --git a/library/x509_crt.c b/library/x509_crt.c
index fb09253e6..3652a8c53 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -2174,7 +2174,9 @@ int x509_crt_verify( x509_crt *crt,
     }
 
 exit:
-    /* prevent misuse of the vrfy callback */
+    /* prevent misuse of the vrfy callback - VERIFY_FAILED would be ignored by
+     * the SSL module for authmode optional, but non-zero return from the
+     * callback means a fatal error so it shouldn't be ignored */
     if( ret == POLARSSL_ERR_X509_CERT_VERIFY_FAILED )
         ret = POLARSSL_ERR_X509_FATAL_ERROR;
 
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index dcb758cf3..5e4aeac95 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -1596,6 +1596,8 @@ run_test    "Authentication: client no cert, ssl3" \
             -C "! ssl_handshake returned" \
             -S "X509 - Certificate verification failed"
 
+# The "max_int chain" tests assume that MAX_INTERMEDIATE_CA is set to its
+# default value (8)
 run_test    "Authentication: server max_int chain, client default" \
             "$P_SRV crt_file=data_files/dir-maxpath/c09.pem \
                     key_file=data_files/dir-maxpath/09.key" \