From 7703f97b967e4e76aa6da4463109a7f7b9ca2c84 Mon Sep 17 00:00:00 2001
From: Benno Evers <benno@bourbaki>
Date: Fri, 3 Feb 2023 14:34:14 +0100
Subject: [PATCH] Enable hostname validation for server certificates

Without this setting, OpenSSL would only validate that the certificate
has a valid signature from a trusted CA, but not that it actually matches
the host to whom we were trying to connect.
---
 libcaf_openssl/src/openssl/session.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/libcaf_openssl/src/openssl/session.cpp b/libcaf_openssl/src/openssl/session.cpp
index dcdfb34c13..93d8ed9519 100644
--- a/libcaf_openssl/src/openssl/session.cpp
+++ b/libcaf_openssl/src/openssl/session.cpp
@@ -159,6 +159,13 @@ bool session::try_connect(native_socket fd, const std::string& sni_servername) {
   CAF_BLOCK_SIGPIPE();
   SSL_set_fd(ssl_, fd);
   SSL_set_connect_state(ssl_);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  // Enable hostname validation.
+  SSL_set_hostflags(ssl_, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+  if (SSL_set1_host(ssl_, sni_servername.c_str()) != 1)
+    return false;
+#endif
+  // Send SNI when connecting.
   SSL_set_tlsext_host_name(ssl_, sni_servername.c_str());
   auto ret = SSL_connect(ssl_);
   if (ret == 1)