Description: Support OpenSSL 1.1
 When building with OpenSSL 1.1 and newer, use the new built-in
 hostname verification instead of code that doesn't compile due to
 structs having been made opaque.
Bug-Debian: https://bugs.debian.org/828589

--- a/src/osdep/unix/ssl_unix.c
+++ b/src/osdep/unix/ssl_unix.c
@ -215,8 +215,15 @@
 				/* disable certificate validation? */
   if (flags & NET_NOVALIDATECERT)
     SSL_CTX_set_verify (stream->context,SSL_VERIFY_NONE,NIL);
-  else SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify);
+  else {
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+	X509_VERIFY_PARAM *param = SSL_CTX_get0_param(stream->context);
+	X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+	X509_VERIFY_PARAM_set1_host(param, host, 0);
+#endif
+	SSL_CTX_set_verify (stream->context,SSL_VERIFY_PEER,ssl_open_verify);
 				/* set default paths to CAs */
+  }
   SSL_CTX_set_default_verify_paths (stream->context);
 				/* create connection */
   if (!(stream->con = (SSL *) SSL_new (stream->context)))
@@ -229,6 +236,7 @@
   if (SSL_write (stream->con,"",0) < 0)
     return ssl_last_error ? ssl_last_error : "SSL negotiation failed";
 				/* need to validate host names? */
+#if OPENSSL_VERSION_NUMBER < 0x10100000
   if (!(flags & NET_NOVALIDATECERT)) {
 				/* get certificate */
     if (!(cert = SSL_get_peer_certificate (stream->con)))
@@ -247,6 +255,7 @@
       return ssl_last_error = cpystr (tmp);
     }
   }
+#endif
   return NIL;
 }