s_client: Use wolfSSL DN check code, not extra API

And drop --enable-opensslextra option recommendation in README.

Also, check SNI name, not host name.

2 files changed, 4 insertions, 19 deletions

diff --git a/README b/README
index 060be30..d20ccb9 100644
--- a/README
+++ b/README
@@ -16,7 +16,6 @@ Building wolfSSL with the following configuration options (keeping other
 defaults) is recommended for wolfssl-util to perform as a strong modern TLS
 implementation:
 
-    --enable-opensslextra
     --enable-maxstrength
     --disable-aescbc
     --disable-oldtls
diff --git a/src/s_client.c b/src/s_client.c
index 0cd77ca..cdf3df3 100644
--- a/src/s_client.c
+++ b/src/s_client.c
@@ -287,9 +287,6 @@ s_client(int argc, char **argv)
 	int             sfd        = -1;
 	int             err;
 	char            buf[WOLFSSL_MAX_ERROR_SZ];
-#ifdef OPENSSL_EXTRA
-	WOLFSSL_X509   *cert;
-#endif
 
 	for (; argc > 0; --argc, ++argv) {
 		if (strcmp(*argv, "-quiet") == 0) {
@@ -324,7 +321,6 @@ s_client(int argc, char **argv)
 	}
 #endif
 
-	(void) servername;
 	if (
 #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
 			wolfSSL_CTX_EnableOCSPStapling(ctx) != WOLFSSL_SUCCESS
@@ -353,7 +349,10 @@ s_client(int argc, char **argv)
 #ifdef HAVE_SUPPORTED_CURVES
 			use_curves(ctx) == false ||
 #endif
-			(ssl = wolfSSL_new(ctx)) == NULL) {
+			(ssl = wolfSSL_new(ctx)) == NULL ||
+			wolfSSL_check_domain_name(ssl, servername) !=
+				WOLFSSL_SUCCESS
+			) {
 		fputs("Out of memory\n", stderr);
 		goto error;
 	}
@@ -371,19 +370,6 @@ s_client(int argc, char **argv)
 		goto error;
 	}
 
-#ifdef OPENSSL_EXTRA
-	cert = wolfSSL_get_peer_certificate(ssl);
-	if (cert == NULL) {
-		fputs("Failed to get certificate\n", stderr);
-		goto error;
-	}
-	if (wolfSSL_X509_check_host(cert, host, strlen(host), 0, NULL) !=
-			WOLFSSL_SUCCESS) {
-		fputs("Domain name mismatch\n", stderr);
-		goto error;
-	}
-#endif  /* OPENSSL_EXTRA */
-
 	if (poll_fds(sfd, ssl) == false) {
 		goto error;
 	}