Applications are encouraged to use X509_VERIFY_PARAM_set1_host() rather than explicitly calling X509_check_host(3). Host name checks may be out of scope with the DANE-EE(3) certificate usage, and the internal checks will be suppressed as appropriate when DANE support is enabled.
With the release of RHEL 7.4, openssl has been updated to version 1.0.2.
I believe there might still be Linux distributions with OpenSSL 1.0.1 in extended support, such as RHEL 5 or RHEL 6. Therefore I believe we should use autoconf to check whether X509_VERIFY_PARAM_set1_host() is available and fall back on X509_check_host() if not.
As noticed in #785, the OpenSSL documentation suggests:
It seems X509_VERIFY_PARAM_set1_host() had been introduced in 2012 by commit https://github.com/openssl/openssl/commit/3bf15e2974f416cb970ef54fae0f600ec299000e and has been available in OpenSSL 1.0.2 and later. According to the Downloads page:
It looks like Red Hat had updated RHEL 7.4 to OpenSSL 1.0.2:
I believe there might still be Linux distributions with OpenSSL 1.0.1 in extended support, such as RHEL 5 or RHEL 6. Therefore I believe we should use autoconf to check whether X509_VERIFY_PARAM_set1_host() is available and fall back on X509_check_host() if not.