From de978800f04d3d585f3be4ceeddf46d2a6f3efb7 Mon Sep 17 00:00:00 2001
From: Andy Green <andy@warmcat.com>
Date: Thu, 16 Jan 2020 19:51:44 +0000
Subject: [PATCH] openssl: disallow client connections if
 X509_VERIFY_PARAM_set1_host absent from tls lib

https://github.com/warmcat/libwebsockets/issues/1827
---
 lib/tls/openssl/openssl-client.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/lib/tls/openssl/openssl-client.c b/lib/tls/openssl/openssl-client.c
index 12af37103..e7d51c7c6 100644
--- a/lib/tls/openssl/openssl-client.c
+++ b/lib/tls/openssl/openssl-client.c
@@ -186,6 +186,13 @@ lws_ssl_client_bio_create(struct lws *wsi)
 		if (!X509_VERIFY_PARAM_set1_ip_asc(param, hostname))
 			X509_VERIFY_PARAM_set1_host(param, hostname, 0);
 	}
+#else
+	if (!(wsi->tls.use_ssl & LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK)) {
+		lwsl_err("%s: your tls lib is too old to have "
+			 "X509_VERIFY_PARAM_set1_host, failing all client tls\n",
+			 __func__);
+		return -1;
+	}
 #endif
 
 #if !defined(USE_WOLFSSL)