libinterimap: make SSL_verify check the hostname as well.

More precisely, ensure that the certificate Subject Alternative Name
(SAN) or Subject CommonName (CN) matches the hostname or IP literal
specified by the 'host' option.  Previously it was only verifying the
chain of trust.

This bumps the minimum Net::SSLeay version to 1.83 and OpenSSL version
1.0.2.

3 files changed, 19 insertions, 11 deletions

diff --git a/doc/build.md b/doc/build.md
index 4a4f80d..47d1a89 100644
--- a/doc/build.md
+++ b/doc/build.md
@@ -24,7 +24,7 @@ following Perl modules:
   * [`Getopt::Long`](https://perldoc.perl.org/Getopt/Long.html) (*core module*)
   * [`MIME::Base64`](https://perldoc.perl.org/MIME/Base64.html) (*core module*) — if authentication is required
   * [`List::Util`](https://perldoc.perl.org/List/Util.html) (*core module*)
-  * [`Net::SSLeay`](https://metacpan.org/pod/Net::SSLeay) ≥1.73
+  * [`Net::SSLeay`](https://metacpan.org/pod/Net::SSLeay) ≥1.83
   * [`POSIX`](https://perldoc.perl.org/POSIX.html) (*core module*)
   * [`Socket`](https://perldoc.perl.org/Socket.html) (*core module*)
   * [`Time::HiRes`](https://perldoc.perl.org/Time/HiRes.html) (*core module*) — if `logfile` is set
diff --git a/doc/interimap.1.md b/doc/interimap.1.md
index ab35275..d21424b 100644
--- a/doc/interimap.1.md
+++ b/doc/interimap.1.md
@@ -420,15 +420,19 @@ Valid options are:
 
 *SSL_verify*
 
-:   Whether to verify the server certificate chain.
+:   Whether to verify the server certificate chain, and match its
+    Subject Alternative Name (SAN) or Subject CommonName (CN) against
+    the value of the *host* option.
+    (Default: `YES`.)
+
     Note that using *SSL_fingerprint* to specify the fingerprint of the
     server certificate provides an independent server authentication
-    measure as it ignores the CA chain.
-    (Default: `YES`.)
+    measure as it pins directly its key material and ignore its chain of
+    trust.
 
 *SSL_CApath*
 
-:   Directory to use for server certificate verification if
+:   Directory to use for server certificate verification when
     `SSL_verify=YES`.
     This directory must be in “hash format”, see [`verify`(1ssl)] for
     more information.
@@ -436,7 +440,7 @@ Valid options are:
 *SSL_CAfile*
 
 :   File containing trusted certificates to use during server
-    certificate verification if `SSL_verify=YES`.
+    certificate verification when `SSL_verify=YES`.
 
 Supported extensions  {#supported-extensions}
 ====================
diff --git a/doc/pullimap.1.md b/doc/pullimap.1.md
index 57790a6..bcf5ade 100644
--- a/doc/pullimap.1.md
+++ b/doc/pullimap.1.md
@@ -239,15 +239,19 @@ Valid options are:
 
 *SSL_verify*
 
-:   Whether to verify the server certificate chain.
+:   Whether to verify the server certificate chain, and match its
+    Subject Alternative Name (SAN) or Subject CommonName (CN) against
+    the value of the *host* option.
+    (Default: `YES`.)
+
     Note that using *SSL_fingerprint* to specify the fingerprint of the
     server certificate provides an independent server authentication
-    measure as it ignores the CA chain.
-    (Default: `YES`.)
+    measure as it pins directly its key material and ignore its chain of
+    trust.
 
 *SSL_CApath*
 
-:   Directory to use for server certificate verification if
+:   Directory to use for server certificate verification when
     `SSL_verify=YES`.
     This directory must be in “hash format”, see [`verify`(1ssl)] for
     more information.
@@ -255,7 +259,7 @@ Valid options are:
 *SSL_CAfile*
 
 :   File containing trusted certificates to use during server
-    certificate verification if `SSL_verify=YES`.
+    certificate verification when `SSL_verify=YES`.
 
 Control flow  {#control-flow}
 ============