add back X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
diff --git a/lib/openssl.c b/lib/openssl.c
index df0323d..c35283f 100644
--- a/lib/openssl.c
+++ b/lib/openssl.c
@@ -1240,12 +1240,19 @@
X509_VERIFY_PARAM_set_purpose(params, is_server ? X509_PURPOSE_SSL_SERVER : X509_PURPOSE_SSL_CLIENT);
X509_VERIFY_PARAM_set_depth(params, 2);
+#ifdef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
if (server_name != NULL) {
- if (ptls_server_name_is_ipaddr(server_name))
- X509_VERIFY_PARAM_set1_host(params, server_name, 0);
- else
+ if (ptls_server_name_is_ipaddr(server_name)) {
X509_VERIFY_PARAM_set1_ip_asc(params, server_name);
+ }
+ else {
+ X509_VERIFY_PARAM_set1_host(params, server_name, 0);
+ X509_VERIFY_PARAM_set_hostflags(params, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+ }
}
+ #else
+#warning "hostname validation is disabled; OpenSSL >= 1.0.2 or LibreSSL >= 2.5.0 is required"
+#endif
X509_STORE_CTX_set0_param(verify_ctx, params);