if the upstream is configured to allow fallback, this will not be a
fatal error, but it will still be checked.
Future work:
* verify any certs higher in the chain than the end-entity cert
* deal with raw public keys
* in the fallback case, report to the user whether the pinset match failed
We do this by associating a getdns_upstream object with the SSL object
handled by that upstream.
This allows us to collapse the verification callback code to a single
function.
Note that if we've agreed that fallback is ok, we are now willing to
accept *any* cert verification error, not just HOSTNAME_MISMATCH.
This is fine, because the alternative is falling back to cleartext,
which would be worse.
We also always set SSL_VERIFY_PEER, since we might as well try to do
so; we'll drop the verification error ourselves if we know we're OK
with falling back.
Jim Hague
Willem Toorop
Daniel Kahn Gillmor