S2S-TLS/OpenSSL: Always setup host name verification

Setup host name verification even when the "SSLVerify" option is
disabled, because even then the peer can present a valid certificate and
validation would always(!) fail because of the missing host name
verification setup.

diff --git a/src/ngircd/conn-ssl.c b/src/ngircd/conn-ssl.c
index dcd21defe4b57aece797198d9f7360ff5b5bca50..ce4e27c1513cf35ea673583030dbb2d298cc8343 100644 (file)
--- a/src/ngircd/conn-ssl.c
+++ b/src/ngircd/conn-ssl.c
@@ -748,25 +748,27 @@ ConnSSL_PrepareConnect(CONNECTION * c, CONF_SERVER * s)
        if (!ret)
                return false;
        Conn_OPTION_ADD(c, CONN_SSL_CONNECT);
+
 #ifdef HAVE_LIBSSL
        assert(c->ssl_state.ssl);
-       if (s->SSLVerify) {
-               X509_VERIFY_PARAM *param = NULL;
-               param = SSL_get0_param(c->ssl_state.ssl);
-               X509_VERIFY_PARAM_set_hostflags(param,
-                                               X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
-               int err = X509_VERIFY_PARAM_set1_host(param, s->host, 0);
-               if (err != 1) {
-                       Log(LOG_ERR,
-                           "Cannot set up hostname verification for '%s': %u",
-                           s->host, err);
-                       return false;
-               }
+
+       X509_VERIFY_PARAM *param = SSL_get0_param(c->ssl_state.ssl);
+       X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+       int err = X509_VERIFY_PARAM_set1_host(param, s->host, 0);
+       if (err != 1) {
+               Log(LOG_ERR,
+                   "Cannot set up hostname verification for '%s': %u",
+                   s->host, err);
+               return false;
+       }
+
+       if (s->SSLVerify)
                SSL_set_verify(c->ssl_state.ssl, SSL_VERIFY_PEER,
                               Verify_openssl);
-       } else
+       else
                SSL_set_verify(c->ssl_state.ssl, SSL_VERIFY_NONE, NULL);
 #endif
+
        return true;
 }