Commit 706e5f4a48 for openssl.org

commit 706e5f4a48b8da63ce2191737ff950194bfbaa9a
Author: sftcd <stephen.farrell@cs.tcd.ie>
Date:   Thu Dec 18 14:16:10 2025 +0000

    tls_process_server_hello(): With retry config validate the outer hostname

    Call SSL_set1_host() to apply the outer hostname to the certificate
    validation.

    Fixes DEF-02-009

    Reviewed-by: Paul Dale <paul.dale@oracle.com>
    Reviewed-by: Matt Caswell <matt@openssl.org>
    MergeDate: Wed Feb 11 17:19:14 2026
    (Merged from https://github.com/openssl/openssl/pull/29593)

diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index e4d77a0980..81bf5d91bd 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1899,6 +1899,10 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL_CONNECTION *s, PACKET *pkt)
                     SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
                     goto err;
                 }
+                if (SSL_set1_host(ssl, s->ext.ech.outer_hostname) != 1) {
+                    SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
+                    goto err;
+                }
             }
         }
     }