+ if (!X509_STORE_add_cert(client_static_state->u_ocsp.client.verify_store,
+ cert))
+ ERR_clear_error();
+ sk_X509_push(client_static_state->verify_stack, cert);
+ }
+#endif
+#ifndef DISABLE_EVENT
+ if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
+ return 0; /* reject, with peercert set */
+#endif
+ }
+else
+ {
+ const uschar * verify_cert_hostnames;
+
+ if ( tlsp == &tls_out
+ && ((verify_cert_hostnames = client_static_state->verify_cert_hostnames)))
+ /* client, wanting hostname check */
+ {
+
+#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
+# ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
+# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
+# endif
+# ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
+# define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
+# endif
+ int sep = 0;
+ const uschar * list = verify_cert_hostnames;
+ uschar * name;
+ int rc;
+ while ((name = string_nextinlist(&list, &sep, NULL, 0)))
+ if ((rc = X509_check_host(cert, CCS name, 0,
+ X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
+ | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
+ NULL)))
+ {
+ if (rc < 0)
+ {
+ log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error",
+ tlsp == &tls_out ? deliver_host_address : sender_host_address);
+ name = NULL;
+ }
+ break;
+ }
+ if (!name)
+#else
+ if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
+#endif
+ {
+ uschar * extra = verify_mode
+ ? string_sprintf(" (during %c-verify for [%s])",
+ *verify_mode, sender_host_address)
+ : US"";
+ log_write(0, LOG_MAIN,
+ "[%s] SSL verify error%s: certificate name mismatch: DN=\"%s\" H=\"%s\"",
+ tlsp == &tls_out ? deliver_host_address : sender_host_address,
+ extra, dn, verify_cert_hostnames);
+ *calledp = TRUE;
+ if (!*optionalp)
+ {
+ if (!tlsp->peercert)
+ tlsp->peercert = X509_dup(cert); /* record failing cert */
+ return 0; /* reject */
+ }
+ DEBUG(D_tls) debug_printf("SSL verify name failure overridden (host in "
+ "tls_try_verify_hosts)\n");
+ tlsp->verify_override = TRUE;
+ }
+ }
+
+#ifndef DISABLE_EVENT
+ if (verify_event(tlsp, cert, depth, dn, calledp, optionalp, US"SSL"))
+ return 0; /* reject, with peercert set */
+#endif
+
+ DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
+ *calledp ? "" : " authenticated", dn);
+ *calledp = TRUE;
+ }
+
+return 1; /* accept, at least for this level */