From 329adcfbbac5e2281e363ebf0ab9958535b3733d Mon Sep 17 00:00:00 2001
From: Andy Green <andy@warmcat.com>
Date: Thu, 16 Jan 2020 19:49:56 +0000
Subject: [PATCH] openssl: disallow client connections if
 X509_VERIFY_PARAM_set1_host absent from tls lib

https://github.com/warmcat/libwebsockets/issues/1827
---
 lib/tls/openssl/openssl-client.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/lib/tls/openssl/openssl-client.c b/lib/tls/openssl/openssl-client.c
index c5d297b03..636dcba25 100644
--- a/lib/tls/openssl/openssl-client.c
+++ b/lib/tls/openssl/openssl-client.c
@@ -196,6 +196,13 @@ lws_ssl_client_bio_create(struct lws *wsi)
 		if (!X509_VERIFY_PARAM_set1_ip_asc(param, hostname))
 			X509_VERIFY_PARAM_set1_host(param, hostname, 0);
 	}
+#else
+	if (!(wsi->tls.use_ssl & LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK)) {
+		lwsl_err("%s: your tls lib is too old to have "
+			 "X509_VERIFY_PARAM_set1_host, failing all client tls\n",
+			 __func__);
+		return -1;
+	}
 #endif
 
 #if !defined(USE_WOLFSSL)