X509_check_host → X509_VERIFY_PARAM_set1_host

[DimitriPapadopoulos]

As noticed in #785, the OpenSSL documentation suggests:

Applications are encouraged to use X509_VERIFY_PARAM_set1_host() rather than explicitly calling X509_check_host(3). Host name checks may be out of scope with the DANE-EE(3) certificate usage, and the internal checks will be suppressed as appropriate when DANE support is enabled.

It seems X509_VERIFY_PARAM_set1_host() had been introduced in 2012 by commit https://github.com/openssl/openssl/commit/3bf15e2974f416cb970ef54fae0f600ec299000e and has been available in OpenSSL 1.0.2 and later. According to the Downloads page:

Extended support for 1.0.2 to gain access to security fixes for that version is available.

It looks like Red Hat had updated RHEL 7.4 to OpenSSL 1.0.2:

With the release of RHEL 7.4, openssl has been updated to version 1.0.2.

I believe there might still be Linux distributions with OpenSSL 1.0.1 in extended support, such as RHEL 5 or RHEL 6. Therefore I believe we should use autoconf to check whether X509_VERIFY_PARAM_set1_host() is available and fall back on X509_check_host() if not.

[DimitriPapadopoulos]

Note that X509_VERIFY_PARAM_set1_host() is not available in LibreSSL either: Use autoconf to detect OpenSSL and libssl features