EXPERIMENTAL_CERTNAMES: Hostlist for cert name checks should match host

connected-to, not be list of acceptable names.  The name checked is the
host name.

2 files changed, 6 insertions, 14 deletions

diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 04de02d74..093b3a375 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1846,17 +1846,13 @@ if ((  state->exp_tls_verify_certificates
    )
   {
 #ifdef EXPERIMENTAL_CERTNAMES
-  if (ob->tls_verify_cert_hostnames)
+  if (verify_check_host(&ob->tls_verify_cert_hostnames) == OK)
     {
     DEBUG(D_tls)
       debug_printf("TLS: server cert incl. hostname verification required.\n");
     state->verify_requirement = VERIFY_WITHHOST;
-    if (!expand_check(ob->tls_verify_cert_hostnames,
-		      US"tls_verify_cert_hostnames",
-		      &state->exp_tls_verify_cert_hostnames))
-      return FAIL;
-    if (state->exp_tls_verify_cert_hostnames)
-      DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
+    state->exp_tls_verify_cert_hostnames = host->name;
+    DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
 		      state->exp_tls_verify_cert_hostnames);
     }
   else
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 63bf83b1d..628860044 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1692,14 +1692,10 @@ if ((!ob->tls_verify_hosts && !ob->tls_try_verify_hosts) ||
   client_verify_optional = FALSE;
 
 #ifdef EXPERIMENTAL_CERTNAMES
-  if (ob->tls_verify_cert_hostnames)
+  if (verify_check_host(&ob->tls_verify_cert_hostnames) == OK)
     {
-    if (!expand_check(ob->tls_verify_cert_hostnames,
-		      US"tls_verify_cert_hostnames",
-		      &cbinfo->verify_cert_hostnames))
-      return FAIL;
-    if (cbinfo->verify_cert_hostnames)
-      DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
+    cbinfo->verify_cert_hostnames = host->name;
+    DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
 		      cbinfo->verify_cert_hostnames);
     }
 #endif