Add support for SSL hostname validation (OpenSSL 1.0.2 and later).

src/socket.c

@@ -142,27 +142,38 @@ open_secure_connection(session *ssn)
 	if (!(ssn->sslconn = SSL_new(ctx)))
 		goto fail;
 
-#if OPENSSL_VERSION_NUMBER >= 0x1000000fL
 	if (get_option_boolean("certificates")) {
+#if OPENSSL_VERSION_NUMBER >= 0x10000010L
 		SSL_set_hostflags(ssn->sslconn,
-		    X509_CHECK_FLAG_NO_WILDCARDS);
+		    X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
 		if (!SSL_set1_host(ssn->sslconn, ssn->server)) {
 			error("failed setting hostname validation to "
 			    "%s; %s\n ", ssn->server,
 			    ERR_error_string(ERR_get_error(), NULL));
 			goto fail;
 		}
-		SSL_set_verify(ssn->sslconn, SSL_VERIFY_PEER, NULL);
-	}
 
-	r = SSL_set_tlsext_host_name(ssn->sslconn, ssn->server);
-	if (r == 0) {
-		error("failed setting the Server Name Indication (SNI) to "
-		    "%s; %s\n", ssn->server,
-		    ERR_error_string(ERR_get_error(), NULL));
-		goto fail;
-	}
+		r = SSL_set_tlsext_host_name(ssn->sslconn, ssn->server);
+		if (r == 0) {
+			error("failed setting the Server Name Indication (SNI)"
+			    " to %s; %s\n", ssn->server,
+			    ERR_error_string(ERR_get_error(), NULL));
+			goto fail;
+		}
+#else
+		X509_VERIFY_PARAM *param = SSL_get0_param(ssn->sslconn);
+		X509_VERIFY_PARAM_set_hostflags(param,
+		    X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+		if (!X509_VERIFY_PARAM_set1_host(param, ssn->server,
+		    strlen(ssn->server))) {
+			error("failed setting hostname validation to "
+			    "%s; %s\n ", ssn->server,
+			    ERR_error_string(ERR_get_error(), NULL));
+			goto fail;
+		}
 #endif
+		SSL_set_verify(ssn->sslconn, SSL_VERIFY_PEER, NULL);
+	}
 
 	SSL_set_fd(ssn->sslconn, ssn->socket);