Enable hostname validation for server certificates

Without this setting, OpenSSL would only validate that the certificate
has a valid signature from a trusted CA, but not that it actually matches
the host to whom we were trying to connect.

Author: Benno Evers

libcaf_openssl/src/openssl/session.cpp

@@ -159,6 +159,13 @@ bool session::try_connect(native_socket fd, const std::string& sni_servername) {
   CAF_BLOCK_SIGPIPE();
   SSL_set_fd(ssl_, fd);
   SSL_set_connect_state(ssl_);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+  // Enable hostname validation.
+  SSL_set_hostflags(ssl_, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+  if (SSL_set1_host(ssl_, sni_servername.c_str()) != 1)
+    return false;
+#endif
+  // Send SNI when connecting.
   SSL_set_tlsext_host_name(ssl_, sni_servername.c_str());
   auto ret = SSL_connect(ssl_);
   if (ret == 1)