On Thu, 2019-06-20 at 16:27 +0200, Laszlo Ersek wrote:
> It is indeed the bug that you think it is ("From code inspection I'd
> have guessed that the code would tolerate *any* valid certificate, even
> for a host other than the one it actually attempted to connect to.")

:)

> I'm CC'ing you on the BZ now, so you can read it even before it gets
> opened up.

... and I've pointed out the problem in the implementation of
TlsSetVerifyHost(). :)

Thanks.