diff --git a/src/tofu.c b/src/tofu.c

index 4eeb7fd0eb8df7423fe8fd8f106e2fe433fa8716..4c25d5eb50a7dcb92d2990364527b04bdb66d588 100644

--- a/src/tofu.c

+++ b/src/tofu.c

@@ -6,6 +6,7 @@ #include <openssl/asn1.h>

#include <openssl/evp.h>

#include <openssl/ssl.h>

#include <openssl/x509.h>

+#include <openssl/x509v3.h>

#include <stdio.h>

#include <string.h>

#include <time.h>

@@ -27,8 +28,6 @@ // rejecting it.

//

// If you're reading this code with the intent to re-use it, think

// twice.

- //

- // TODO: Check that the subject name is valid for the requested URL.

struct gemini_tofu *tofu = (struct gemini_tofu *)data;

X509 *cert = X509_STORE_CTX_get0_cert(ctx);

struct known_host *host = NULL;

@@ -70,6 +69,12 @@ SSL *ssl = X509_STORE_CTX_get_ex_data(ctx,

SSL_get_ex_data_X509_STORE_CTX_idx());

const char *servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);

if (!servername) {

+ rc = X509_V_ERR_HOSTNAME_MISMATCH;

+ goto invalid_cert;

+ }

+

+ rc = X509_check_host(cert, servername, strlen(servername), 0, NULL);

+ if (rc != 1) {

rc = X509_V_ERR_HOSTNAME_MISMATCH;

goto invalid_cert;

}