From 2bf97e3ea594edf9a4b88902b1738fe553436ae7 Mon Sep 17 00:00:00 2001
From: Johan Hedin <johan.o.hedin@gmail.com>
Date: Sat, 27 Jul 2024 14:45:38 +0200
Subject: [PATCH] Set verify_mode on SSL object after SSL_CTX switch

When a SSL object is updated with a new SSL_CTX due to a "SNI switch",
the verify_mode from the new SSL_CTX is not propagated to the SSL object
and need to be set explicitly.
---
 src/crypto/openssl.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/crypto/openssl.c b/src/crypto/openssl.c
index 4473679a..de00e64a 100644
--- a/src/crypto/openssl.c
+++ b/src/crypto/openssl.c
@@ -618,6 +618,7 @@ int sni_cb(SSL *ssl, int *al, void *arg) {
             if (resolved_ssl_context) {
                 //printf("Did find matching SNI context for hostname: <%s>!\n", hostname);
                 SSL_set_SSL_CTX(ssl, resolved_ssl_context);
+                SSL_set_verify(ssl, SSL_CTX_get_verify_mode(resolved_ssl_context), SSL_CTX_get_verify_callback(resolved_ssl_context));
             } else {
                 /* Call a blocking callback notifying of missing context */
             }