diff --git a/etcdmain/etcd.go b/etcdmain/etcd.go
index 2f7f00d61ad..a70b2502c73 100644
--- a/etcdmain/etcd.go
+++ b/etcdmain/etcd.go
@@ -356,11 +356,22 @@ func identifyDataDirOrDie(dir string) dirType {
 	return dirEmpty
 }
 
-func setupLogging(cfg *config) {
-	cfg.ClientTLSInfo.HandshakeFailure = func(conn *tls.Conn, err error) {
-		plog.Infof("rejected connection from %q (%v)", conn.RemoteAddr().String(), err)
+func logTLSHandshakeFailure(conn *tls.Conn, err error) {
+	state := conn.ConnectionState()
+	remoteAddr := conn.RemoteAddr().String()
+	serverName := state.ServerName
+	if len(state.PeerCertificates) > 0 {
+		cert := state.PeerCertificates[0]
+		ips, dns := cert.IPAddresses, cert.DNSNames
+		plog.Infof("rejected connection from %q (error %q, ServerName %q, IPAddresses %q, DNSNames %q)", remoteAddr, err.Error(), serverName, ips, dns)
+	} else {
+		plog.Infof("rejected connection from %q (error %q, ServerName %q)", remoteAddr, err.Error(), serverName)
 	}
-	cfg.PeerTLSInfo.HandshakeFailure = cfg.ClientTLSInfo.HandshakeFailure
+}
+
+func setupLogging(cfg *config) {
+	cfg.ClientTLSInfo.HandshakeFailure = logTLSHandshakeFailure
+	cfg.PeerTLSInfo.HandshakeFailure = logTLSHandshakeFailure
 
 	capnslog.SetGlobalLogLevel(capnslog.INFO)
 	if cfg.Debug {