lib-ssl-iostream: Call ssl_iostream_check_cert_validity as default

Unless callback is specified, call ssl_iostream_check_cert_validity
instead of ssl_iostream_cert_match_name to make sure we perform
same checks consistently.

diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c
index b0393361d5199f00278bfa136992a809fcd44dfc..16e4ca33e0de7266674d02bb02b883aba0ce0750 100644 (file)
--- a/src/lib-ssl-iostream/iostream-openssl.c
+++ b/src/lib-ssl-iostream/iostream-openssl.c
@@ -673,10 +673,8 @@ static int openssl_iostream_handshake(struct ssl_iostream *ssl_io)
                }
        } else if (ssl_io->connected_host != NULL && !ssl_io->handshake_failed &&
                  !ssl_io->allow_invalid_cert) {
-               if (!ssl_iostream_cert_match_name(ssl_io, ssl_io->connected_host, &reason)) {
-                       openssl_iostream_set_error(ssl_io, t_strdup_printf(
-                               "SSL certificate doesn't match expected host name %s: %s",
-                               ssl_io->connected_host, reason));
+               if (ssl_iostream_check_cert_validity(ssl_io, ssl_io->connected_host, &reason) < 0) {
+                       openssl_iostream_set_error(ssl_io, reason);
                        ssl_io->handshake_failed = TRUE;
                }
        }