From 9b18e47671eb8a71aa655e9f5842947252c73194 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Sun, 8 Nov 2015 00:19:56 +0900
Subject: [PATCH] nghttpx: Use --backend-tls-sni-field to verify certificate
 hostname

---
 src/shrpx_ssl.cc | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/shrpx_ssl.cc b/src/shrpx_ssl.cc
index 5d72cbbf..d204e2d6 100644
--- a/src/shrpx_ssl.cc
+++ b/src/shrpx_ssl.cc
@@ -930,7 +930,10 @@ int check_cert(SSL *ssl, const DownstreamAddr *addr) {
   std::vector<std::string> dns_names;
   std::vector<std::string> ip_addrs;
   get_altnames(cert, dns_names, ip_addrs, common_name);
-  if (verify_hostname(addr->host.get(), &addr->addr, dns_names, ip_addrs,
+  auto hostname = get_config()->backend_tls_sni_name
+                      ? get_config()->backend_tls_sni_name.get()
+                      : addr->host.get();
+  if (verify_hostname(hostname, &addr->addr, dns_names, ip_addrs,
                       common_name) != 0) {
     LOG(ERROR) << "Certificate verification failed: hostname does not match";
     return -1;