From: Dr. David von Oheimb <dev@ddvo.net>
Date: Mon, 21 Apr 2025 14:00:39 +0000 (+0200)
Subject: SSL_set1_host.pod: add recommendation to use SSL_{set1,add1}_host() and SSL_set_tlsex... 
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eb909d785f89c5f92613865ed8e7afc9f6fb9b2c;p=thirdparty%2Fopenssl.git

SSL_set1_host.pod: add recommendation to use SSL_{set1,add1}_host() and SSL_set_tlsext_host_name()

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27457)
---

diff --git a/doc/man3/SSL_set1_host.pod b/doc/man3/SSL_set1_host.pod
index c91a075a6a6..fd16a943198 100644
--- a/doc/man3/SSL_set1_host.pod
+++ b/doc/man3/SSL_set1_host.pod
@@ -38,6 +38,11 @@ is required for DANE TLSA in the presence of service name indirection
 via CNAME, MX or SRV records as specified in RFC7671, RFC7672 or
 RFC7673.
 
+TLS clients are recommended to use SSL_set1_host() or SSL_add1_host()
+for server hostname or IP address validation,
+as well as L<SSL_set_tlsext_host_name(3)> for Server Name Indication (SNI),
+which may be crucial also for correct routing of the connection request.
+
 SSL_set_hostflags() sets the B<flags> that will be passed to
 L<X509_check_host(3)> when name checks are applicable, by default
 the B<flags> value is 0.  See L<X509_check_host(3)> for the list
@@ -99,7 +104,7 @@ the lifetime of the SSL connection.
 =head1 SEE ALSO
 
 L<ssl(7)>,
-L<X509_check_host(3)>,
+L<X509_check_host(3)>, L<SSL_set_tlsext_host_name(3)>,
 L<SSL_get_verify_result(3)>.
 L<SSL_dane_enable(3)>.