ircd::net: Add option to bypass CN verification of self-signed certs.

include/ircd/net/open.h

@@ -84,6 +84,12 @@ struct ircd::net::open_opts
 	/// common_name will pass muster.
 	bool verify_common_name { true };
 
+	/// Option to toggle whether to perform CN verification for self-signed
+	/// certificates. This is set to false for compatibility purposes as many
+	/// self-signed certificates have either no CN or CN=localhost and none
+	/// of that really matters anyway.
+	bool verify_self_signed_common_name { false };
+
 	/// The expected /CN of the target. This should be the remote's hostname,
 	/// If it is empty then `hostport.host` is used. If the signed /CN has
 	/// some rfc2818/rfc2459 wildcard we will properly match that for you.

ircd/net.cc

@@ -1842,7 +1842,12 @@ noexcept try
 		            openssl::print_subject(buf, cert));
 	}
 
-	if(!valid) switch(openssl::get_error(stctx))
+	const auto err
+	{
+		openssl::get_error(stctx)
+	};
+
+	if(!valid) switch(err)
 	{
 		case X509_V_OK:
 			assert(0);
@@ -1867,7 +1872,13 @@ noexcept try
 			break;
 	}
 
-	if(opts.verify_common_name)
+	const bool verify_common_name
+	{
+		opts.verify_common_name &&
+		(opts.verify_self_signed_common_name && err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
+	};
+
+	if(verify_common_name)
 	{
 		if(unlikely(empty(common_name(opts))))
 			throw inauthentic