commit ec82240f4baca75f362fe55253c4b7e1cae7e9f3
author Victor Stewart <v@nametag.social> Tue Mar 23 22:39:32 2021 +0000
committer Victor Stewart <v@nametag.social> Tue Mar 23 22:39:32 2021 +0000
tree aa7d6042d0ac9705dd2fd7660fb775b66bbe5ab4
parent 9211c0f6ce7fb7822f83cb80d087923547127641

add back X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS

lib/openssl.c

diff --git a/lib/openssl.c b/lib/openssl.c
index df0323d..c35283f 100644
--- a/lib/openssl.c
+++ b/lib/openssl.c
@@ -1240,12 +1240,19 @@
     X509_VERIFY_PARAM_set_purpose(params, is_server ? X509_PURPOSE_SSL_SERVER : X509_PURPOSE_SSL_CLIENT);
     X509_VERIFY_PARAM_set_depth(params, 2);
 
+#ifdef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
     if (server_name != NULL) {
-        if (ptls_server_name_is_ipaddr(server_name)) 
-            X509_VERIFY_PARAM_set1_host(params, server_name, 0);
-        else                                        
+        if (ptls_server_name_is_ipaddr(server_name)) {
             X509_VERIFY_PARAM_set1_ip_asc(params, server_name);
+        }
+        else {
+            X509_VERIFY_PARAM_set1_host(params, server_name, 0);
+            X509_VERIFY_PARAM_set_hostflags(params, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+        }          
     }
+    #else
+#warning "hostname validation is disabled; OpenSSL >= 1.0.2 or LibreSSL >= 2.5.0 is required"
+#endif
 
     X509_STORE_CTX_set0_param(verify_ctx, params);