Enable OpenSSL >= 1.0.2 native name verification.

1 files changed, 22 insertions, 0 deletions

diff --git a/socket.c b/socket.c
index bcf06491..7550519b 100644
--- a/socket.c
+++ b/socket.c
@@ -636,6 +636,12 @@ static int SSL_verify_callback( int ok_return, X509_STORE_CTX *ctx, int strict )
 	subj = X509_get_subject_name(x509_cert);
 	issuer = X509_get_issuer_name(x509_cert);
 
+	if (outlevel >= O_DEBUG) {
+		if (SSLverbose)
+			report(stdout, GT_("SSL verify callback depth %d: preverify_ok == %d, err = %d, %s\n"),
+					depth, ok_return, err, X509_verify_cert_error_string(err));
+	}
+
 	if (outlevel >= O_VERBOSE) {
 		if (depth == 0 && SSLverbose)
 			report(stdout, GT_("Server certificate:\n"));
@@ -1179,6 +1185,22 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck
 	    }
 	}
 
+	/* OpenSSL >= 1.0.2: set host name for verification */
+	/* XXX FIXME: do we need to change the function's signature and pass the akalist to
+	 * permit the other hostnames through SSL? */
+	/* https://wiki.openssl.org/index.php/Hostname_validation */
+	{
+	    int r;
+	    X509_VERIFY_PARAM *param = SSL_get0_param(_ssl_context[sock]);
+
+	    X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+	    if (0 == (r = X509_VERIFY_PARAM_set1_host(param, servercname, strlen(servercname)))) {
+		report(stderr, GT_("Warning: X509_VERIFY_PARAM_set1_host(%p, \"%s\") failed (code %#x), trying to continue.\n"),
+			(void *)_ssl_context[sock], servercname, r);
+		ERR_print_errors_fp(stderr);
+	    }
+	}
+
 	if( mycert || mykey ) {
 
 	/* Ok...  He has a certificate file defined, so lets declare it.  If