I'd like to propose a patch for checking subject alternative names entry in the SSL certificate for DNS names during SSL authentication.
Thanks! I just ran into this missing feature last week, while working on my SSL test suite. So +1 for having the feature.
This patch needs to be rebased over current master branch, thanks to my refactoring that moved all OpenSSL-specific stuff to be-secure-openssl.c.
The patch is rebased against fe-secure-openssl.c (that's where verify_peer_name_matches_certificate appeared in the master branch), I've changed the condition in the for loop to be less confusing (thanks to comments from Magnus and Tom), making an explicit break once a match is detected.
Note that It generates a lot of OpenSSL related warnings on my system (66 total) with clang, complaining about
$X is deprecated: first deprecated in OS X 10.7 [-Wdeprecated-declarations], but it does so for most other SSL functions, so I don't think it's a problem introduced by this patch.