Comment 4 for bug 925657

Ok, I have just added some improvements. Now I get something like this the first time I connect to one of my servers with a self-signed certificate:

connected to 192.168.1.175:3389
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: CERTIFICATE NAME MISMATCH! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The hostname used for this connection (192.168.1.175)
does not match the name given in the certificate:
ANGRYBIRDS.awakecoding.com
A valid certificate for the wrong name should NOT be trusted!
Certificate details:
 Subject: CN = ANGRYBIRDS.awakecoding.com
 Issuer: CN = ANGRYBIRDS.awakecoding.com
 Thumbprint: 1a:e6:2b:74:78:e3:1f:eb:83:cb:28:8a:3b:c7:98:76:bd:b8:c2
The above X.509 certificate could not be verified, possibly because you do not have the CA certificate in your certificate store, or the certificate has expired. Please look at the documentation on how to create local certificate store for a private CA.
Do you trust the above certificate? (Y/N)

In this case, the hostname does not match, and the certificate cannot be validated. I modified the code such that if the certificate is validated by x509_verify_cert it still won't get accepted if the hostname does not match either Common Name or one of the Subject Alternate Names. Is that what should be done?

Please take a look and tell me what would still be lacking after these improvements.

Regards,
- Marc-Andre