From 2b5568023eb23c5c3c64868e53f8156de0ea5033 Mon Sep 17 00:00:00 2001
From: Benno Evers <benno@bourbaki>
Date: Fri, 3 Feb 2023 14:34:14 +0100
Subject: [PATCH] Enable hostname validation for server certificates

Without this setting, OpenSSL would only validate that the certificate
has a valid signature from a trusted CA, but not that it actually matches
the host to whom we were trying to connect.
---
 libcaf_openssl/src/openssl/session.cpp | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libcaf_openssl/src/openssl/session.cpp b/libcaf_openssl/src/openssl/session.cpp
index dcdfb34c13..9f7fbc411c 100644
--- a/libcaf_openssl/src/openssl/session.cpp
+++ b/libcaf_openssl/src/openssl/session.cpp
@@ -159,6 +159,11 @@ bool session::try_connect(native_socket fd, const std::string& sni_servername) {
   CAF_BLOCK_SIGPIPE();
   SSL_set_fd(ssl_, fd);
   SSL_set_connect_state(ssl_);
+  // Enable hostname validation.
+  SSL_set_hostflags(ssl_, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+  if (SSL_set1_host(ssl_, sni_servername.c_str()) != 0)
+    return false;
+  // Send SNI when connecting.
   SSL_set_tlsext_host_name(ssl_, sni_servername.c_str());
   auto ret = SSL_connect(ssl_);
   if (ret == 1)