[exim-cvs] Move certificate name checking to mainline, defau…

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] Move certificate name checking to mainline, default enabled
Gitweb: http://git.exim.org/exim.git/commitdiff/01a4a5c5cbaa40ca618d3e233991ce183b551477
Commit:     01a4a5c5cbaa40ca618d3e233991ce183b551477
Parent:     ad07e9add2a9959a2cc07c996452fcfc10ccab9f
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Sat Nov 22 19:16:19 2014 +0000
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Mon Jan 12 18:58:33 2015 +0000


    Move certificate name checking to mainline, default enabled
    This is an exim client checking a server certificate.
---
 doc/doc-docbook/spec.xfpt           |   13 ++++++++
 doc/doc-txt/ChangeLog               |    5 +++
 doc/doc-txt/experimental-spec.txt   |   35 ----------------------
 src/src/config.h.defaults           |    1 -
 src/src/exim.c                      |    3 --
 src/src/functions.h                 |    2 -
 src/src/tls-gnu.c                   |   14 +--------
 src/src/tls-openssl.c               |   23 ++------------
 src/src/tls.c                       |    2 -
 src/src/transports/smtp.c           |    8 +----
 src/src/transports/smtp.h           |    2 -
 test/confs/2012                     |   56 ++++++++++++++++++----------------
 test/confs/2112                     |   56 ++++++++++++++++++----------------
 test/confs/5601                     |    4 ++
 test/confs/5608                     |    4 ++
 test/confs/5651                     |    4 ++
 test/confs/5658                     |    4 ++
 test/confs/5750                     |    1 +
 test/confs/5760                     |    1 +
 test/confs/5840                     |    1 +
 test/log/2012                       |   22 ++++++++++----
 test/log/2112                       |   22 ++++++++++----
 test/log/5840                       |    2 +
 test/scripts/2000-GnuTLS/2012       |    6 ++++
 test/scripts/2100-OpenSSL/2112      |    6 ++++
 test/scripts/5840-DANE-OpenSSL/5840 |    2 +-
 test/stderr/5410                    |    1 +
 27 files changed, 151 insertions(+), 149 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 542ccaf..5bdf572 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -23435,6 +23435,19 @@ The &$tls_out_certificate_verified$& variable is set when
certificate verification succeeds.


+.option tls_verify_cert_hostnames smtp "host list&!!" *
+.cindex "TLS" "server certificate hostname verification"
+.cindex "certificate" "verification of server"
+This option give a list of hosts for which,
+while verifying the server certificate,
+checks will be included on the host name
+(note that this will generally be the result of a DNS MX lookup)
+versus Subject and Subject-Alternate-Name fields.  Wildcard names are permitted
+limited to being the initial component of a 3-or-more component FQDN.
+
+There is no equivalent checking on client certificates.
+
+
 .option tls_verify_certificates smtp string&!! unset
 .cindex "TLS" "server certificate verification"
 .cindex "certificate" "verification of server"
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 2f29e36..27abe47 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -12,6 +12,11 @@ JH/02 The smtp transport option "multi_domain" is now expanded.
 JH/03 The smtp transport now requests PRDR by default, if the server offers
       it.


+JH/04 Certificate name checking on server certificates, when exim is a client,
+      is now done by default.  The transport option tls_verify_cert_hostname
+      can be used to disable this per-host.  The build option
+      EXPERIMENTAL_CERTNAMES is withdrawn.
+


Exim version 4.85
-----------------
diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt
index 4a2a04b..4bcfecf 100644
--- a/doc/doc-txt/experimental-spec.txt
+++ b/doc/doc-txt/experimental-spec.txt
@@ -1146,41 +1146,6 @@ Adding it to a redirect router makes no difference.



-Certificate name checking
---------------------------------------------------------------
-The X509 certificates used for TLS are supposed be verified
-that they are owned by the expected host. The coding of TLS
-support to date has not made these checks.
-
-If built with EXPERIMENTAL_CERTNAMES defined, code is
-included to do so for server certificates, and a new smtp transport option
-"tls_verify_cert_hostnames" supported which takes a hostlist
-which must match the target host for the additional checks must be made.
-The option currently defaults to empty, but this may change in
-the future. "*" is probably a suitable value.
-Whether certificate verification is done at all, and the result of
-it failing, is stll under the control of "tls_verify_hosts" nad
-"tls_try_verify_hosts".
-
-The name being checked is that for the host, generally
-the result of an MX lookup.
-
-Both Subject and Subject-Alternate-Name certificate fields
-are supported, as are wildcard certificates (limited to
-a single wildcard being the initial component of a 3-or-more
-component FQDN).
-
-The equivalent check on the server for client certificates is not
-implemented. At least one major email provider is using a client
-certificate which fails this check. They do not retry either without
-the client certificate or in clear.
-
-It is possible to duplicate the effect of this checking by
-creative use of Events.
-
-
-
-
DANE
------------------------------------------------------------
DNS-based Authentication of Named Entities, as applied
diff --git a/src/src/config.h.defaults b/src/src/config.h.defaults
index a0997a0..ec4322c 100644
--- a/src/src/config.h.defaults
+++ b/src/src/config.h.defaults
@@ -167,7 +167,6 @@ it's a default value. */

 /* EXPERIMENTAL features */
 #define EXPERIMENTAL_BRIGHTMAIL
-#define EXPERIMENTAL_CERTNAMES
 #define EXPERIMENTAL_DANE
 #define EXPERIMENTAL_DCC
 #define EXPERIMENTAL_DMARC
diff --git a/src/src/exim.c b/src/src/exim.c
index d6915d4..e0b7546 100644
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -853,9 +853,6 @@ fprintf(f, "Support for:");
 #ifdef EXPERIMENTAL_REDIS
   fprintf(f, " Experimental_Redis");
 #endif
-#ifdef EXPERIMENTAL_CERTNAMES
-  fprintf(f, " Experimental_Certnames");
-#endif
 #ifdef EXPERIMENTAL_DSN
   fprintf(f, " Experimental_DSN");
 #endif
diff --git a/src/src/functions.h b/src/src/functions.h
index a74c94b..68609f2 100644
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -67,9 +67,7 @@ extern void    tls_version_report(FILE *);
 extern BOOL    tls_openssl_options_parse(uschar *, long *);
 # endif
 extern uschar * tls_field_from_dn(uschar *, uschar *);
-# ifdef EXPERIMENTAL_CERTNAMES
 extern BOOL    tls_is_name_for_cert(uschar *, void *);
-# endif


 # ifdef EXPERIMENTAL_DANE
 extern int     tlsa_lookup(const host_item *, dns_answer *, BOOL, BOOL *);
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index bdc032f..b520ebf 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -117,9 +117,7 @@ typedef struct exim_gnutls_state {
   uschar *exp_tls_crl;
   uschar *exp_tls_require_ciphers;
   uschar *exp_tls_ocsp_file;
-#ifdef EXPERIMENTAL_CERTNAMES
   uschar *exp_tls_verify_cert_hostnames;
-#endif
 #ifdef EXPERIMENTAL_EVENT
   uschar *event_action;
 #endif
@@ -138,9 +136,7 @@ static const exim_gnutls_state_st exim_gnutls_state_init = {
   NULL, NULL, NULL, NULL,
   NULL, NULL, NULL, NULL, NULL, NULL,
   NULL, NULL, NULL, NULL, NULL, NULL, NULL,
-#ifdef EXPERIMENTAL_CERTNAMES
-                                            NULL,
-#endif
+  NULL,
 #ifdef EXPERIMENTAL_EVENT
                                             NULL,
 #endif
@@ -1385,7 +1381,6 @@ if (rc < 0 ||


 else
   {
-#ifdef EXPERIMENTAL_CERTNAMES
   if (state->exp_tls_verify_cert_hostnames)
     {
     int sep = 0;
@@ -1407,7 +1402,6 @@ else
       return TRUE;
       }
     }
-#endif
   state->peer_cert_verified = TRUE;
   DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n",
       state->peerdn ? state->peerdn : US"<unset>");
@@ -1771,7 +1765,6 @@ return OK;




-#ifdef EXPERIMENTAL_CERTNAMES
 static void
 tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state,
   smtp_transport_options_block * ob)
@@ -1784,7 +1777,6 @@ if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
             state->exp_tls_verify_cert_hostnames);
   }
 }
-#endif



 /*************************************************
@@ -1859,9 +1851,7 @@ if (  (  state->exp_tls_verify_certificates
     || verify_check_given_host(&ob->tls_verify_hosts, host) == OK
    )
   {
-#ifdef EXPERIMENTAL_CERTNAMES
   tls_client_setup_hostname_checks(host, state, ob);
-#endif
   DEBUG(D_tls)
     debug_printf("TLS: server certificate verification required.\n");
   state->verify_requirement = VERIFY_REQUIRED;
@@ -1869,9 +1859,7 @@ if (  (  state->exp_tls_verify_certificates
   }
 else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK)
   {
-#ifdef EXPERIMENTAL_CERTNAMES
   tls_client_setup_hostname_checks(host, state, ob);
-#endif
   DEBUG(D_tls)
     debug_printf("TLS: server certificate verification optional.\n");
   state->verify_requirement = VERIFY_OPTIONAL;
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 43fbaa4..7c66775 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -123,10 +123,7 @@ typedef struct tls_ext_ctx_cb {
   uschar *server_cipher_list;
   /* only passed down to tls_error: */
   host_item *host;
-
-#ifdef EXPERIMENTAL_CERTNAMES
   uschar * verify_cert_hostnames;
-#endif
 #ifdef EXPERIMENTAL_EVENT
   uschar * event_action;
 #endif
@@ -354,14 +351,11 @@ else if (depth != 0)
   }
 else
   {
-#ifdef EXPERIMENTAL_CERTNAMES
   uschar * verify_cert_hostnames;
-#endif


tlsp->peerdn = txt;
tlsp->peercert = X509_dup(cert);

-#ifdef EXPERIMENTAL_CERTNAMES
   if (  tlsp == &tls_out
      && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
          /* client, wanting hostname check */
@@ -413,7 +407,6 @@ else
     "tls_try_verify_hosts)\n");
       }
 # endif
-#endif    /*EXPERIMENTAL_CERTNAMES*/


 #ifdef EXPERIMENTAL_EVENT
   ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
@@ -1289,9 +1282,7 @@ else            /* client */
 # endif
 #endif


-#ifdef EXPERIMENTAL_CERTNAMES
cbinfo->verify_cert_hostnames = NULL;
-#endif

/* Set up the RSA callback */

@@ -1672,10 +1663,7 @@ return OK;

 static int
 tls_client_basic_ctx_init(SSL_CTX * ctx,
-    host_item * host, smtp_transport_options_block * ob
-#ifdef EXPERIMENTAL_CERTNAMES
-    , tls_ext_ctx_cb * cbinfo
-#endif
+    host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo
               )
 {
 int rc;
@@ -1696,14 +1684,12 @@ if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
       ob->tls_crl, host, client_verify_optional, verify_callback_client)) != OK)
   return rc;


-#ifdef EXPERIMENTAL_CERTNAMES
 if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
   {
   cbinfo->verify_cert_hostnames = host->name;
   DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
             cbinfo->verify_cert_hostnames);
   }
-#endif
 return OK;
 }


@@ -1882,11 +1868,8 @@ else

#endif

-  if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob
-#ifdef EXPERIMENTAL_CERTNAMES
-                , client_static_cbinfo
-#endif
-                )) != OK)
+  if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob, client_static_cbinfo))
+      != OK)
     return rc;


if ((client_ssl = SSL_new(client_ctx)) == NULL)
diff --git a/src/src/tls.c b/src/src/tls.c
index b3d088d..1182379 100644
--- a/src/src/tls.c
+++ b/src/src/tls.c
@@ -281,7 +281,6 @@ return list;
}


-# ifdef EXPERIMENTAL_CERTNAMES
 /* Compare a domain name with a possibly-wildcarded name. Wildcards
 are restricted to a single one, as the first element of patterns
 having at least three dot-separated elements.  Case-independent.
@@ -353,7 +352,6 @@ else if ((subjdn = tls_cert_subject(cert, NULL)))
   }
 return FALSE;
 }
-# endif    /*EXPERIMENTAL_CERTNAMES*/
 #endif    /*SUPPORT_TLS*/


 /* vi: aw ai sw=2
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 3dae1d2..f57ee69 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -176,10 +176,8 @@ optionlist smtp_transport_options[] = {
       (void *)offsetof(smtp_transport_options_block, tls_tempfail_tryclear) },
   { "tls_try_verify_hosts", opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, tls_try_verify_hosts) },
-#ifdef EXPERIMENTAL_CERTNAMES
   { "tls_verify_cert_hostnames", opt_stringptr,
       (void *)offsetof(smtp_transport_options_block,tls_verify_cert_hostnames)},
-#endif
   { "tls_verify_certificates", opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, tls_verify_certificates) },
   { "tls_verify_hosts",     opt_stringptr,
@@ -262,10 +260,8 @@ smtp_transport_options_block smtp_transport_option_defaults = {
                        /* tls_dh_min_bits */
   TRUE,                /* tls_tempfail_tryclear */
   NULL,                /* tls_verify_hosts */
-  NULL                 /* tls_try_verify_hosts */
-# ifdef EXPERIMENTAL_CERTNAMES
- ,NULL                 /* tls_verify_cert_hostnames */
-# endif
+  NULL,                /* tls_try_verify_hosts */
+  US"*"                /* tls_verify_cert_hostnames */
 #endif
 #ifndef DISABLE_DKIM
  ,NULL,                /* dkim_canon */
diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h
index 95e9195..1b51c13 100644
--- a/src/src/transports/smtp.h
+++ b/src/src/transports/smtp.h
@@ -74,9 +74,7 @@ typedef struct {
   BOOL    tls_tempfail_tryclear;
   uschar *tls_verify_hosts;
   uschar *tls_try_verify_hosts;
-# ifdef EXPERIMENTAL_CERTNAMES
   uschar *tls_verify_cert_hostnames;
-# endif
 #endif
 #ifndef DISABLE_DKIM
   uschar *dkim_domain;
diff --git a/test/confs/2012 b/test/confs/2012
index 97dc25e..6bc5487 100644
--- a/test/confs/2012
+++ b/test/confs/2012
@@ -104,6 +104,7 @@ send_to_server_failcert:
   tls_privatekey = CERT2


tls_verify_certificates = CA2
+ tls_verify_cert_hostnames =

# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok
send_to_server_retry:
@@ -117,6 +118,7 @@ send_to_server_retry:

   tls_verify_certificates = \
     ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}}
+  tls_verify_cert_hostnames =


# this will fail to verify the cert but continue unverified though crypted
send_to_server_crypt:
@@ -130,6 +132,7 @@ send_to_server_crypt:

tls_verify_certificates = CA2
tls_try_verify_hosts = *
+ tls_verify_cert_hostnames =

# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted
send_to_server_req_fail:
@@ -142,31 +145,32 @@ send_to_server_req_fail:

tls_verify_certificates = CA2
tls_verify_hosts = *
-
-# # this will fail to verify the cert name and fallback to unencrypted
-# send_to_server_req_failname:
-# driver = smtp
-# allow_localhost
-# hosts = HOSTIPV4
-# port = PORT_D
-# tls_certificate = CERT2
-# tls_privatekey = CERT2
-#
-# tls_verify_certificates = CA1
-# tls_verify_cert_hostnames = server1.example.net : server1.example.org
-# tls_verify_hosts = *
-#
-# # this will pass the cert verify including name check
-# send_to_server_req_passname:
-# driver = smtp
-# allow_localhost
-# hosts = HOSTIPV4
-# port = PORT_D
-# tls_certificate = CERT2
-# tls_privatekey = CERT2
-#
-# tls_verify_certificates = CA1
-# tls_verify_cert_hostnames = noway.example.com : server1.example.com
-# tls_verify_hosts = *
+ tls_verify_cert_hostnames =
+
+ # this will fail to verify the cert name and fallback to unencrypted
+ send_to_server_req_failname:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA1
+ tls_verify_cert_hostnames = server1.example.net : server1.example.org
+ tls_verify_hosts = *
+
+ # this will pass the cert verify including name check
+ send_to_server_req_passname:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA1
+ tls_verify_cert_hostnames = noway.example.com : server1.example.com
+ tls_verify_hosts = *

# End
diff --git a/test/confs/2112 b/test/confs/2112
index 4751e60..2c81e0c 100644
--- a/test/confs/2112
+++ b/test/confs/2112
@@ -104,6 +104,7 @@ send_to_server_failcert:
tls_privatekey = CERT2

tls_verify_certificates = CA2
+ tls_verify_cert_hostnames =

# this will fail to verify the cert at HOSTIPV4 so fail the crypt, then retry on 127.1; ok
send_to_server_retry:
@@ -117,6 +118,7 @@ send_to_server_retry:

   tls_verify_certificates = \
     ${if eq{$host_address}{127.0.0.1}{CA1}{CA2}}
+  tls_verify_cert_hostnames =


# this will fail to verify the cert but continue unverified though crypted
send_to_server_crypt:
@@ -130,6 +132,7 @@ send_to_server_crypt:

tls_verify_certificates = CA2
tls_try_verify_hosts = *
+ tls_verify_cert_hostnames =

# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted
send_to_server_req_fail:
@@ -142,31 +145,32 @@ send_to_server_req_fail:

tls_verify_certificates = CA2
tls_verify_hosts = *
-
-# # this will fail to verify the cert name and fallback to unencrypted
-# send_to_server_req_failname:
-# driver = smtp
-# allow_localhost
-# hosts = HOSTIPV4
-# port = PORT_D
-# tls_certificate = CERT2
-# tls_privatekey = CERT2
-#
-# tls_verify_certificates = CA1
-# tls_verify_cert_hostnames = server1.example.net : server1.example.org
-# tls_verify_hosts = *
-#
-# # this will pass the cert verify including name check
-# send_to_server_req_passname:
-# driver = smtp
-# allow_localhost
-# hosts = HOSTIPV4
-# port = PORT_D
-# tls_certificate = CERT2
-# tls_privatekey = CERT2
-#
-# tls_verify_certificates = CA1
-# tls_verify_cert_hostnames = noway.example.com : server1.example.com
-# tls_verify_hosts = *
+ tls_verify_cert_hostnames =
+
+ # this will fail to verify the cert name and fallback to unencrypted
+ send_to_server_req_failname:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA1
+ tls_verify_cert_hostnames = server1.example.net : server1.example.org
+ tls_verify_hosts = *
+
+ # this will pass the cert verify including name check
+ send_to_server_req_passname:
+ driver = smtp
+ allow_localhost
+ hosts = HOSTIPV4
+ port = PORT_D
+ tls_certificate = CERT2
+ tls_privatekey = CERT2
+
+ tls_verify_certificates = CA1
+ tls_verify_cert_hostnames = noway.example.com : server1.example.com
+ tls_verify_hosts = *

 # End
diff --git a/test/confs/5601 b/test/confs/5601
index 3e97fcb..1a73203 100644
--- a/test/confs/5601
+++ b/test/confs/5601
@@ -90,6 +90,7 @@ send_to_server1:
   hosts = HOSTIPV4
   port = PORT_D
   tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+  tls_verify_cert_hostnames =
   hosts_require_tls = *
   hosts_request_ocsp = :
   headers_add = X-TLS-out: ocsp status $tls_out_ocsp \
@@ -102,6 +103,7 @@ send_to_server2:
   hosts = HOSTIPV4
   port = PORT_D
   tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+  tls_verify_cert_hostnames =
   hosts_require_tls = *
 # note no ocsp mention here
   headers_add = X-TLS-out: ocsp status $tls_out_ocsp \
@@ -115,6 +117,7 @@ send_to_server3:
   port = PORT_D
   helo_data = helo.data.changed
   tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+  tls_verify_cert_hostnames =
   hosts_require_tls =  *
   hosts_require_ocsp = *
   headers_add = X-TLS-out: ocsp status $tls_out_ocsp \
@@ -128,6 +131,7 @@ send_to_server4:
   port = PORT_D
   helo_data = helo.data.changed
   tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+  tls_verify_cert_hostnames =
   protocol =           smtps
   hosts_require_tls =  *
   hosts_require_ocsp = *
diff --git a/test/confs/5608 b/test/confs/5608
index da0f670..6061a13 100644
--- a/test/confs/5608
+++ b/test/confs/5608
@@ -98,6 +98,7 @@ send_to_server1:
   hosts = HOSTIPV4
   port = PORT_D
   tls_verify_certificates =    DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+  tls_verify_cert_hostnames =
   hosts_require_tls =    *
   hosts_request_ocsp =    :
   headers_add =            X-TLS-out: ocsp status $tls_out_ocsp
@@ -110,6 +111,7 @@ send_to_server2:
   hosts = HOSTIPV4
   port = PORT_D
   tls_verify_certificates =    DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+  tls_verify_cert_hostnames =
   hosts_require_tls =    *
 # note no ocsp mention here
   headers_add =            X-TLS-out: ocsp status $tls_out_ocsp
@@ -123,6 +125,7 @@ send_to_server3:
   port = PORT_D
   helo_data = helo.data.changed
   tls_verify_certificates =    DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+  tls_verify_cert_hostnames =
   hosts_require_tls =    *
   hosts_require_ocsp =    *
   headers_add =            X-TLS-out: ocsp status $tls_out_ocsp
@@ -136,6 +139,7 @@ send_to_server4:
   port = PORT_D
   helo_data = helo.data.changed
   tls_verify_certificates =    DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+  tls_verify_cert_hostnames =
   protocol =           smtps
   hosts_require_tls =  *
   hosts_require_ocsp = *
diff --git a/test/confs/5651 b/test/confs/5651
index 6b70d33..19f16d0 100644
--- a/test/confs/5651
+++ b/test/confs/5651
@@ -88,6 +88,7 @@ send_to_server1:
   hosts = HOSTIPV4
   port = PORT_D
   tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+  tls_verify_cert_hostnames =
   hosts_require_tls = *
   hosts_request_ocsp = :
   headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
@@ -100,6 +101,7 @@ send_to_server2:
   hosts = HOSTIPV4
   port = PORT_D
   tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+  tls_verify_cert_hostnames =
   hosts_require_tls = *
 # note no ocsp mention here
   headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
@@ -114,6 +116,7 @@ send_to_server3:
   helo_data = helo.data.changed
   #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
   tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+  tls_verify_cert_hostnames =
   hosts_require_tls =  *
   hosts_require_ocsp = *
   headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
@@ -128,6 +131,7 @@ send_to_server4:
   helo_data = helo.data.changed
   #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
   tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+  tls_verify_cert_hostnames =
   protocol =           smtps
   hosts_require_tls =  *
   hosts_require_ocsp = *
diff --git a/test/confs/5658 b/test/confs/5658
index 7ab2de6..de486e0 100644
--- a/test/confs/5658
+++ b/test/confs/5658
@@ -95,6 +95,7 @@ send_to_server1:
   hosts = HOSTIPV4
   port = PORT_D
   tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+  tls_verify_cert_hostnames =
   hosts_require_tls = *
   hosts_request_ocsp = :
   headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
@@ -108,6 +109,7 @@ send_to_server2:
   hosts = HOSTIPV4
   port = PORT_D
   tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+  tls_verify_cert_hostnames =
   hosts_require_tls = *
 # note no ocsp mention here
   headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
@@ -123,6 +125,7 @@ send_to_server3:
   helo_data = helo.data.changed
   #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
   tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+  tls_verify_cert_hostnames =
   hosts_require_tls =  *
   hosts_require_ocsp = *
   headers_add = X-TLS-out: OCSP status $tls_out_ocsp \
@@ -138,6 +141,7 @@ send_to_server4:
   helo_data = helo.data.changed
   #tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem
   tls_verify_certificates = DIR/aux-fixed/exim-ca/example.com/CA/CA.pem
+  tls_verify_cert_hostnames =
   protocol =           smtps
   hosts_require_tls =  *
   hosts_require_ocsp = *
diff --git a/test/confs/5750 b/test/confs/5750
index 364f73a..d1e2e7c 100644
--- a/test/confs/5750
+++ b/test/confs/5750
@@ -104,6 +104,7 @@ send_to_server:
        ${if eq {$local_part}{good}\
 {example.com/server1.example.com/ca_chain.pem}\
 {example.net/server1.example.net/ca_chain.pem}}
+  tls_verify_cert_hostnames =


event_action = ${acl {logger} {$event_name} {$domain} }

diff --git a/test/confs/5760 b/test/confs/5760
index 60f386b..80dde3e 100644
--- a/test/confs/5760
+++ b/test/confs/5760
@@ -104,6 +104,7 @@ send_to_server:
        ${if eq {$local_part}{good}\
 {example.com/server1.example.com/ca_chain.pem}\
 {example.net/server1.example.net/ca_chain.pem}}
+  tls_verify_cert_hostnames =


event_action = ${acl {logger} {$event_name} {$domain} }

diff --git a/test/confs/5840 b/test/confs/5840
index 2c72b64..5c0f6a5 100644
--- a/test/confs/5840
+++ b/test/confs/5840
@@ -68,6 +68,7 @@ send_to_server:
   hosts_request_ocsp = ${if or { {= {4}{$tls_out_tlsa_usage}} \
                  {= {0}{$tls_out_tlsa_usage}} } \
                         {*}{}}
+  tls_verify_cert_hostnames = ${if eq {OPT}{no_certname} {}{*}}
   tls_try_verify_hosts = thishost.test.ex
   tls_verify_certificates = CDIR2/ca_chain.pem


diff --git a/test/log/2012 b/test/log/2012
index 48c75d2..efb2933 100644
--- a/test/log/2012
+++ b/test/log/2012
@@ -2,6 +2,8 @@
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (certificate verification failed): certificate invalid
1999-03-02 09:44:33 10HmaX-0005vi-00 == userx@??? R=client_x T=send_to_server_failcert defer (-37) H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]: failure while setting up TLS session
@@ -9,14 +11,20 @@
1999-03-02 09:44:33 10HmaX-0005vi-00 userx@???: error ignored
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 10HmaY-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (certificate verification failed): certificate invalid
-1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@??? R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbB-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@??? R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbD-0005vi-00"
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@??? R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@??? R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=no DN="CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00"
1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
1999-03-02 09:44:33 10HmbA-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (certificate verification failed): certificate invalid
1999-03-02 09:44:33 10HmbA-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
-1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@??? R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbD-0005vi-00"
+1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@??? R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbF-0005vi-00"
1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 no IP address found for host server1.example.net
+1999-03-02 09:44:33 10HmbB-0005vi-00 => userr@??? R=client_r T=send_to_server_req_failname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbG-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbC-0005vi-00 no IP address found for host noway.example.com
+1999-03-02 09:44:33 10HmbC-0005vi-00 => users@??? R=client_s T=send_to_server_req_passname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbH-0005vi-00"
+1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf

******** SERVER ********
@@ -25,8 +33,10 @@
1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad
1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
-1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@??? H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@???
-1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@???
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@??? H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@???
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@???
1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (recv): A TLS fatal alert has been received.: Certificate is bad
1999-03-02 09:44:33 TLS error on connection from the.local.host.name [ip4.ip4.ip4.ip4] (send): The specified session has been invalidated for some reason.
-1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@???
+1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@???
+1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmbB-0005vi-00@???
+1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="C=UK,O=The Exim Maintainers,OU=Test Suite,CN=Phil Pennock" S=sss id=E10HmbC-0005vi-00@???
diff --git a/test/log/2112 b/test/log/2112
index 45a0458..02d1d31 100644
--- a/test/log/2112
+++ b/test/log/2112
@@ -2,6 +2,8 @@
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
1999-03-02 09:44:33 10HmaX-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>
@@ -11,18 +13,24 @@
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
1999-03-02 09:44:33 10HmaY-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@??? R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbB-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => usery@??? R=client_y T=send_to_server_retry H=127.0.0.1 [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbD-0005vi-00"
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 10HmaZ-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
1999-03-02 09:44:33 10HmaZ-0005vi-00 SSL verify error: depth=0 error=certificate not trusted cert=/CN=server1.example.com
1999-03-02 09:44:33 10HmaZ-0005vi-00 SSL verify error: depth=0 error=unable to verify the first certificate cert=/CN=server1.example.com
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@??? R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => userz@??? R=client_z T=send_to_server_crypt H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=no DN="/CN=server1.example.com" C="250 OK id=10HmbE-0005vi-00"
1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
1999-03-02 09:44:33 10HmbA-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
1999-03-02 09:44:33 10HmbA-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>
1999-03-02 09:44:33 10HmbA-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
-1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@??? R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbD-0005vi-00"
+1999-03-02 09:44:33 10HmbA-0005vi-00 => userq@??? R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbF-0005vi-00"
1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 no IP address found for host server1.example.net
+1999-03-02 09:44:33 10HmbB-0005vi-00 => userr@??? R=client_r T=send_to_server_req_failname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbG-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbC-0005vi-00 no IP address found for host noway.example.com
+1999-03-02 09:44:33 10HmbC-0005vi-00 => users@??? R=client_s T=send_to_server_req_passname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbH-0005vi-00"
+1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf

 ******** SERVER ********
@@ -31,8 +39,10 @@
 1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
 1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
 1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
-1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@??? H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@???
-1999-03-02 09:44:33 10HmbC-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@???
+1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@??? H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaY-0005vi-00@???
+1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmaZ-0005vi-00@???
 1999-03-02 09:44:33 TLS error on connection from the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] (SSL_accept): error: <<detail omitted>>
 1999-03-02 09:44:33 TLS client disconnected cleanly (rejected our certificate?)
-1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@???
+1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@???
+1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmbB-0005vi-00@???
+1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@??? H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLSv1:AES256-SHA:256 CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" S=sss id=E10HmbC-0005vi-00@???
diff --git a/test/log/5840 b/test/log/5840
index 7507c5c..a842abc 100644
--- a/test/log/5840
+++ b/test/log/5840
@@ -14,6 +14,8 @@
 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for CALLER@???
 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
 1999-03-02 09:44:33 10HmbD-0005vi-00 SSL verify error: depth=0 error=self signed certificate cert=/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock
+1999-03-02 09:44:33 10HmbD-0005vi-00 SSL verify error: certificate name mismatch: "/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock"
+
 1999-03-02 09:44:33 10HmbD-0005vi-00 => CALLER@??? R=client T=send_to_server H=thishost.test.ex [127.0.0.1] X=TLSv1:AES256-SHA:256 CV=no DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbE-0005vi-00"
 1999-03-02 09:44:33 10HmbD-0005vi-00 Completed
 1999-03-02 09:44:33 End queue run: pid=pppp -qf
diff --git a/test/scripts/2000-GnuTLS/2012 b/test/scripts/2000-GnuTLS/2012
index 3b25ba2..76a6d50 100644
--- a/test/scripts/2000-GnuTLS/2012
+++ b/test/scripts/2000-GnuTLS/2012
@@ -14,6 +14,12 @@ Testing
 exim userq@???
 Testing
 ****
+exim userr@???
+Testing
+****
+exim users@???
+Testing
+****
 exim -qf
 ****
 killdaemon
diff --git a/test/scripts/2100-OpenSSL/2112 b/test/scripts/2100-OpenSSL/2112
index 98ea4cb..c500751 100644
--- a/test/scripts/2100-OpenSSL/2112
+++ b/test/scripts/2100-OpenSSL/2112
@@ -13,6 +13,12 @@ Testing
 exim userq@???
 Testing
 ****
+exim userr@???
+Testing
+****
+exim users@???
+Testing
+****
 exim -qf
 ****
 killdaemon
diff --git a/test/scripts/5840-DANE-OpenSSL/5840 b/test/scripts/5840-DANE-OpenSSL/5840
index eef14c2..c0133ea 100644
--- a/test/scripts/5840-DANE-OpenSSL/5840
+++ b/test/scripts/5840-DANE-OpenSSL/5840
@@ -43,7 +43,7 @@ exim -DSERVER=server -DDETAILS=ca -bd -oX PORT_D
 exim -odq CALLER@???
 Testing
 ****
-exim -qf
+exim -DOPT=no_certname -qf
 ****
 killdaemon
 #
diff --git a/test/stderr/5410 b/test/stderr/5410
index 0968549..943681e 100644
--- a/test/stderr/5410
+++ b/test/stderr/5410
@@ -83,6 +83,7 @@ expanding: ${if eq {$address_data}{userz}{*}{:}}
   SMTP<< 220 TLS go ahead
 127.0.0.1 in hosts_require_ocsp? no (option unset)
 127.0.0.1 in hosts_request_ocsp? yes (matched "*")
+127.0.0.1 in tls_verify_cert_hostnames? yes (matched "*")
   SMTP>> EHLO myhost.test.ex
   SMTP<< 250-myhost.test.ex Hello the.local.host.name [ip4.ip4.ip4.ip4]
          250-SIZE 52428800