diff --git a/daemon/main.c b/daemon/main.c
index c0404a8c8907e05371402a536ab1dda84229013c..c02adb0f2365c9641e70e640a6c2ea316eee6999 100644
--- a/daemon/main.c
+++ b/daemon/main.c
@@ -361,6 +361,8 @@ static int run_worker(uv_loop_t *loop, struct engine *engine, fd_array_t *ipc_se
 		}
 	}
 	memcpy(&engine->ipc_set, ipc_set, sizeof(*ipc_set));
+
+	tls_setup_logging(kr_debug_status());
 	/* Notify supervisor. */
 #ifdef HAS_SYSTEMD
 	sd_notify(0, "READY=1");
diff --git a/daemon/tls.c b/daemon/tls.c
index 19ae7c05444128862030671abec0486a0b962191..023e7a1f9b6a7f6c91d7215e7dc4cc7e9d0b3e17 100644
--- a/daemon/tls.c
+++ b/daemon/tls.c
@@ -52,6 +52,19 @@ struct tls_ctx_t {
 #define DEBUG_MSG(fmt...)
 #endif
 
+static void
+kres_gnutls_log(int level, const char *message)
+{
+	kr_log_error("[tls] gnutls: (%d) %s", level, message);
+}
+
+void
+tls_setup_logging(bool verbose)
+{
+	gnutls_global_set_log_function(kres_gnutls_log);
+	gnutls_global_set_log_level(verbose ? 1 : 0);
+}
+
 static ssize_t kres_gnutls_push(gnutls_transport_ptr_t h, const void *buf, size_t len)
 {
 	struct tls_ctx_t *t = (struct tls_ctx_t *)h;
diff --git a/daemon/tls.h b/daemon/tls.h
index 20ac507eb97110f2a93b7a38aaf79d9228bbc66c..0884700300a3fe5ac3a840409ad5ee24b7e75a9c 100644
--- a/daemon/tls.h
+++ b/daemon/tls.h
@@ -29,6 +29,8 @@ struct tls_credentials_t {
 	gnutls_certificate_credentials_t credentials;
 };
 
+void tls_setup_logging(bool verbose);
+
 struct tls_ctx_t* tls_new(struct worker_ctx *worker);
 void tls_free(struct tls_ctx_t* tls);