diff --git a/integrationtests/self/handshake_test.go b/integrationtests/self/handshake_test.go
index 44b508ad6..9433312cc 100644
--- a/integrationtests/self/handshake_test.go
+++ b/integrationtests/self/handshake_test.go
@@ -79,7 +79,8 @@ var _ = Describe("Handshake tests", func() {
 	})
 
 	Context("Certifiate validation", func() {
-		for _, v := range []protocol.VersionNumber{protocol.Version39, protocol.VersionTLS} {
+		// no need to run these tests with TLS. mint doesn't do certificate verification
+		for _, v := range protocol.SupportedVersions {
 			version := v
 
 			Context(fmt.Sprintf("using %s", version), func() {
diff --git a/mint_utils.go b/mint_utils.go
index 1ddba7f5c..a3ed18758 100644
--- a/mint_utils.go
+++ b/mint_utils.go
@@ -16,6 +16,8 @@ import (
 	"github.com/lucas-clemente/quic-go/internal/wire"
 )
 
+var errMintIsInsecure = errors.New("mint currently DOES NOT support certificate verification (see https://github.com/bifurcation/mint/issues/161 for details). Set InsecureSkipVerify to acknowledge that no certificate verification will be performed, and the connection will be vulnerable to man-in-the-middle attacks")
+
 type mintController struct {
 	csc  *handshake.CryptoStreamConn
 	conn *mint.Conn
@@ -77,6 +79,9 @@ func tlsToMintConfig(tlsConf *tls.Config, pers protocol.Perspective) (*mint.Conf
 		},
 	}
 	if tlsConf != nil {
+		if pers == protocol.PerspectiveClient && !tlsConf.InsecureSkipVerify {
+			return nil, errMintIsInsecure
+		}
 		mconf.ServerName = tlsConf.ServerName
 		mconf.Certificates = make([]*mint.Certificate, len(tlsConf.Certificates))
 		for i, certChain := range tlsConf.Certificates {
diff --git a/mint_utils_test.go b/mint_utils_test.go
index 3398299d3..dfa1c2aee 100644
--- a/mint_utils_test.go
+++ b/mint_utils_test.go
@@ -43,7 +43,10 @@ var _ = Describe("Packing and unpacking Initial packets", func() {
 		})
 
 		It("sets the server name", func() {
-			conf := &tls.Config{ServerName: "www.example.com"}
+			conf := &tls.Config{
+				ServerName:         "www.example.com",
+				InsecureSkipVerify: true,
+			}
 			mintConf, err := tlsToMintConfig(conf, protocol.PerspectiveClient)
 			Expect(err).ToNot(HaveOccurred())
 			Expect(mintConf.ServerName).To(Equal("www.example.com"))
@@ -51,25 +54,40 @@ var _ = Describe("Packing and unpacking Initial packets", func() {
 
 		It("sets the certificate chain", func() {
 			tlsConf := testdata.GetTLSConfig()
+			tlsConf.InsecureSkipVerify = true
 			mintConf, err := tlsToMintConfig(tlsConf, protocol.PerspectiveClient)
 			Expect(err).ToNot(HaveOccurred())
 			Expect(mintConf.Certificates).ToNot(BeEmpty())
 			Expect(mintConf.Certificates).To(HaveLen(len(tlsConf.Certificates)))
 		})
 
+		It("forces the application to set InsecureSkipVerify, because mint is INSECURE", func() {
+			conf := &tls.Config{
+				ServerName:         "www.example.com",
+				InsecureSkipVerify: false,
+			}
+			_, err := tlsToMintConfig(conf, protocol.PerspectiveClient)
+			Expect(err).To(HaveOccurred())
+			Expect(err).To(MatchError(errMintIsInsecure))
+		})
+
 		It("requires client authentication", func() {
-			mintConf, err := tlsToMintConfig(nil, protocol.PerspectiveClient)
+			conf := &tls.Config{ServerName: "localhost"} // mint forces us to set a ServerName for a server config, although this field is only used for clients
+			mintConf, err := tlsToMintConfig(conf, protocol.PerspectiveServer)
 			Expect(err).ToNot(HaveOccurred())
 			Expect(mintConf.RequireClientAuth).To(BeFalse())
-			conf := &tls.Config{ClientAuth: tls.RequireAnyClientCert}
-			mintConf, err = tlsToMintConfig(conf, protocol.PerspectiveClient)
+			conf = &tls.Config{
+				ServerName: "localhost", // mint forces us to set a ServerName for a server config, although this field is only used for clients
+				ClientAuth: tls.RequireAnyClientCert,
+			}
+			mintConf, err = tlsToMintConfig(conf, protocol.PerspectiveServer)
 			Expect(err).ToNot(HaveOccurred())
 			Expect(mintConf.RequireClientAuth).To(BeTrue())
 		})
 
 		It("rejects unsupported client auth types", func() {
 			conf := &tls.Config{ClientAuth: tls.RequireAndVerifyClientCert}
-			_, err := tlsToMintConfig(conf, protocol.PerspectiveClient)
+			_, err := tlsToMintConfig(conf, protocol.PerspectiveServer)
 			Expect(err).To(MatchError("mint currently only support ClientAuthType RequireAnyClientCert"))
 		})
 	})
diff --git a/server_tls_test.go b/server_tls_test.go
index 7cead5cd8..4598a16a7 100644
--- a/server_tls_test.go
+++ b/server_tls_test.go
@@ -36,7 +36,8 @@ var _ = Describe("Stateless TLS handling", func() {
 			Versions: []protocol.VersionNumber{protocol.VersionTLS},
 		}
 		var err error
-		server, sessionChan, err = newServerTLS(conn, config, nil, testdata.GetTLSConfig())
+		tlsConf := testdata.GetTLSConfig()
+		server, sessionChan, err = newServerTLS(conn, config, nil, tlsConf)
 		Expect(err).ToNot(HaveOccurred())
 		server.newMintConn = func(bc *handshake.CryptoStreamConn, v protocol.VersionNumber) (handshake.MintTLS, <-chan handshake.TransportParameters, error) {
 			mintReply = bc