+static void ustream_ssl_verify_cert(struct ustream_ssl *us)
+{
+ void *ssl = us->ssl;
+ const char *msg = NULL;
+ bool cn_mismatch;
+ int r;
+
+ r = ssl_get_verify_result(ssl);
+ cn_mismatch = r & BADCERT_CN_MISMATCH;
+ r &= ~BADCERT_CN_MISMATCH;
+
+ if (r & BADCERT_EXPIRED)
+ msg = "certificate has expired";
+ else if (r & BADCERT_REVOKED)
+ msg = "certificate has been revoked";
+ else if (r & BADCERT_NOT_TRUSTED)
+ msg = "certificate is self-signed or not signed by a trusted CA";
+ else
+ msg = "unknown error";
+
+ if (r) {
+ if (us->notify_verify_error)
+ us->notify_verify_error(us, r, msg);
+ return;
+ }
+
+ if (!cn_mismatch)
+ us->valid_cn = true;
+}
+