diff --git a/CMakeLists.txt b/CMakeLists.txt
index c6f8dc66..be6b8e30 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -818,7 +818,7 @@ endif()
 #
 set(CPACK_PACKAGE_NAME "GmSSL")
 set(CPACK_PACKAGE_VENDOR "GmSSL develop team")
-set(CPACK_PACKAGE_VERSION "3.2.0-dev.1067")
+set(CPACK_PACKAGE_VERSION "3.2.0-dev.1068")
 set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md)
 set(CPACK_NSIS_MODIFY_PATH ON)
 include(CPack)
diff --git a/include/gmssl/version.h b/include/gmssl/version.h
index 56dc3965..8b2253de 100644
--- a/include/gmssl/version.h
+++ b/include/gmssl/version.h
@@ -18,7 +18,7 @@ extern "C" {
 
 
 #define GMSSL_VERSION_NUM	30200
-#define GMSSL_VERSION_STR	"GmSSL 3.2.0-dev.1067"
+#define GMSSL_VERSION_STR	"GmSSL 3.2.0-dev.1068"
 
 int gmssl_version_num(void);
 const char *gmssl_version_str(void);
diff --git a/src/tls12.c b/src/tls12.c
index dcb062de..e68f2612 100644
--- a/src/tls12.c
+++ b/src/tls12.c
@@ -2671,8 +2671,10 @@ int tls_recv_client_key_exchange(TLS_CONNECT *conn)
 int tls_recv_certificate_verify(TLS_CONNECT *conn)
 {
 	int ret;
+	X509_SIGN_CTX sign_ctx;
 	X509_KEY client_sign_key;
-
+	const uint8_t *signer_id = NULL;
+	size_t signer_idlen = 0;
 	const uint8_t *sig;
 	size_t siglen;
 
@@ -2724,8 +2726,16 @@ int tls_recv_certificate_verify(TLS_CONNECT *conn)
 		tls_send_alert(conn, TLS_alert_bad_certificate);
 		return -1;
 	}
-
-
+	if (client_sign_key.algor_param == OID_sm2) {
+		signer_id = (uint8_t *)SM2_DEFAULT_ID;
+		signer_idlen = SM2_DEFAULT_ID_LENGTH;
+	}
+	if (x509_verify_init(&sign_ctx, &client_sign_key, signer_id, signer_idlen, sig, siglen) != 1
+		|| x509_verify_update(&sign_ctx, conn->transcript, conn->transcript_len) != 1
+		|| x509_verify_finish(&sign_ctx) != 1) {
+		error_print();
+		return -1;
+	}
 
 	if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) {
 		error_print();