Index: binary-improvements/MapRendering/Web/OpenID.cs
===================================================================
--- binary-improvements/MapRendering/Web/OpenID.cs	(revision 313)
+++ binary-improvements/MapRendering/Web/OpenID.cs	(revision 314)
@@ -7,4 +7,6 @@
 using System.Text;
 using System.Text.RegularExpressions;
+using System.Security.Cryptography.X509Certificates;
+using System.Reflection;
 
 namespace AllocsFixes.NetConnections.Servers.Web
@@ -14,11 +16,80 @@
 		private static Regex steamIdUrlMatcher = new Regex (@"^http:\/\/steamcommunity\.com\/openid\/id\/([0-9]{17,18})");
 
+		private static readonly X509Certificate2 caCert = new X509Certificate2 (Path.GetDirectoryName (Assembly.GetExecutingAssembly ().Location) + "/steam-rootca.cer");
+		private static readonly X509Certificate2 caIntermediateCert = new X509Certificate2 (Path.GetDirectoryName (Assembly.GetExecutingAssembly ().Location) + "/steam-intermediate.cer");
+
+		private static readonly bool verboseSsl = false;
+
 		static OpenID () {
 			ServicePointManager.ServerCertificateValidationCallback = (srvPoint, certificate, chain, errors) => {
-				if (errors == SslPolicyErrors.None)
+				if (errors == SslPolicyErrors.None) {
+					if (verboseSsl) {
+						Log.Out ("Steam certificate: No error (1)");
+					}
 					return true;
+				}
 
-				Log.Out ("Steam certificate error: {0}", errors);
+				X509Chain privateChain = new X509Chain ();
+				privateChain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
 
+				privateChain.ChainPolicy.ExtraStore.Add (caCert);
+				privateChain.ChainPolicy.ExtraStore.Add (caIntermediateCert);
+
+				if (privateChain.Build (new X509Certificate2 (certificate))) {
+					// No errors, immediately return
+					privateChain.Reset ();
+					if (verboseSsl) {
+						Log.Out ("Steam certificate: No error (2)");
+					}
+					return true;
+				}
+
+				if (privateChain.ChainStatus.Length == 0) {
+					// No errors, immediately return
+					privateChain.Reset ();
+					if (verboseSsl) {
+						Log.Out ("Steam certificate: No error (3)");
+					}
+					return true;
+				}
+
+				// Iterate all chain elements
+				foreach (X509ChainElement chainEl in privateChain.ChainElements) {
+					if (verboseSsl) {
+						Log.Out ("Validating cert: " + chainEl.Certificate.Subject);
+					}
+					// Iterate all status flags of the current cert
+					foreach (X509ChainStatus chainStatus in chainEl.ChainElementStatus) {
+						if (verboseSsl) {
+							Log.Out ("   Status: " + chainStatus.Status);
+						}
+						if (chainStatus.Status == X509ChainStatusFlags.NoError) {
+							// This status is not an error, skip
+							continue;
+						}
+						if (chainStatus.Status == X509ChainStatusFlags.UntrustedRoot && chainEl.Certificate == caCert) {
+							// This status is about the cert being an untrusted root certificate but the certificate is one of those we added, ignore
+							continue;
+						}
+						// This status is an error, print information
+						Log.Warning ("Steam certificate error: " + chainEl.Certificate.Subject + " ### Error: " + chainStatus.Status);
+						privateChain.Reset ();
+						return false;
+					}
+				}
+
+				foreach (X509ChainStatus chainStatus in privateChain.ChainStatus) {
+					if (chainStatus.Status != X509ChainStatusFlags.NoError && chainStatus.Status != X509ChainStatusFlags.UntrustedRoot) {
+						Log.Warning ("Steam certificate error: " + chainStatus.Status);
+						privateChain.Reset ();
+						return false;
+					}
+				}
+
+				// We didn't find any errors, chain is valid
+				privateChain.Reset ();
+				if (verboseSsl) {
+					Log.Out ("Steam certificate: No error (4)");
+				}
 				return true;
 			};
Index: binary-improvements/MapRendering/Web/Web.cs
===================================================================
--- binary-improvements/MapRendering/Web/Web.cs	(revision 313)
+++ binary-improvements/MapRendering/Web/Web.cs	(revision 314)
@@ -237,13 +237,18 @@
 
 			if (_req.Url.AbsolutePath.StartsWith ("/session/verify")) {
-				ulong id = OpenID.Validate (_req);
-				if (id > 0) {
-					WebConnection con = connectionHandler.LogIn (id, _req.RemoteEndPoint.Address.ToString ());
-					_con = con;
-					int level = GameManager.Instance.adminTools.GetAdminToolsClientInfo (id.ToString ()).PermissionLevel;
-					Log.Out ("Steam OpenID login from {0} with ID {1}, permission level {2}", _req.RemoteEndPoint.ToString (), con.SteamID, level);
-					return level;
-				} else {
-					Log.Out ("Steam OpenID login failed from {0}", _req.RemoteEndPoint.ToString ());
+				try {
+					ulong id = OpenID.Validate (_req);
+					if (id > 0) {
+						WebConnection con = connectionHandler.LogIn (id, _req.RemoteEndPoint.Address.ToString ());
+						_con = con;
+						int level = GameManager.Instance.adminTools.GetAdminToolsClientInfo (id.ToString ()).PermissionLevel;
+						Log.Out ("Steam OpenID login from {0} with ID {1}, permission level {2}", _req.RemoteEndPoint.ToString (), con.SteamID, level);
+						return level;
+					} else {
+						Log.Out ("Steam OpenID login failed from {0}", _req.RemoteEndPoint.ToString ());
+					}
+				} catch (Exception e) {
+					Log.Error ("Error validating login:");
+					Log.Exception (e);
 				}
 			}