Commit 6d643de2d5 for openssl.org

commit 6d643de2d5943f743c24903812228c1cf7047409
Author: Dr. David von Oheimb <dev@ddvo.net>
Date:   Fri Apr 11 20:00:21 2025 +0200

    X509_VERIFY_PARAM_set_flags.pod: add hint on joint use of X509_VERIFY_PARAM_set1_host() and SSL_set_tlsext_host_name()

    Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
    Reviewed-by: Tomas Mraz <tomas@openssl.org>
    MergeDate: Thu Jan  8 09:56:12 2026
    (Merged from https://github.com/openssl/openssl/pull/29150)

diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
index 864e242963..022aa733f2 100644
--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
@@ -375,6 +375,12 @@ instead of functions which work in specific structures such as
 X509_STORE_CTX_set_flags() which are likely to be deprecated in a future
 release.

+TLS clients are recommended to set up validation of server hostname(s) and/or
+IP address (directly using the above functions
+or more conveniently using L<SSL_set1_host(3)> or L<SSL_add1_host(3)>)
+and to use L<SSL_set_tlsext_host_name(3)> for Server Name Indication (SNI),
+which may be crucial also for correct routing of the connection request.
+
 =head1 BUGS

 Delta CRL checking is currently primitive. Only a single delta can be used and
@@ -403,6 +409,7 @@ L<X509_verify_cert(3)>,
 L<X509_check_host(3)>,
 L<X509_check_email(3)>,
 L<X509_check_ip(3)>,
+L<SSL_set_tlsext_host_name(3)>,
 L<openssl-x509(1)>

 =head1 HISTORY