I am writing a SSL/TLS client (using Boost.Beast but underlying it's using OpenSSL) and although I have set on the SSL context the 'verify_peer' flag, there is no verification to prove the server presents an X509 which contains in the Subject Alternative Names the hostname of that server.
As this is probably the dumbest type of attack someone could do (using a valid certificate with another domain name), I am thinking I'm doing something wrong. But from the documentation, I saw that using "verify_peer" should perform all the verifications...
Now if not even this simple check is being done, how about expiration of the certificate, revocation status and other checks? Should they be performed manually as well?
For now I am using X509_VERIFY_PARAM_set1_host with SSL_CTX_set1_param to do this specific check.
Best regards,
Theodor
