document or implement lack of hostname verification

[johannesboon]

Luasec, although the name suggests otherwise seems not very secure by default as it will gladly accept server certificates with any hostname.

Please consider this ancient paper:

The Most Dangerous Code in the World:
Validating SSL Certificates in Non-Browser Software

And maybe start using the (in OpenSSL 1.1 introduced) function X509_VERIFY_PARAM_set1_host to verify the hostnames from Subject Alternative Name. Although there are some functions available also since in OpenSSL 1.0.2, see: OpenSSL website Wiki for Hostname Validation

Or at least document the limitations of the current verification and the implications they might have.

Or maybe something based on this pull request:

#49

[ziz57]

What's the situation with this? Are clients using luasec expected to do their own hostname verification?