Check the certificate name when reconnecting to an instance

refs #10963

lib/base/tlsstream.cpp

@@ -85,7 +85,7 @@ TlsStream::TlsStream(const Socket::Ptr& socket, const String& hostname, Connecti
 
 TlsStream::~TlsStream(void)
 {
-	Close();
+	CloseInternal(true);
 }
 
 int TlsStream::ValidateCertificate(int preverify_ok, X509_STORE_CTX *ctx)
@@ -310,17 +310,21 @@ void TlsStream::Shutdown(void)
  */
 void TlsStream::Close(void)
 {
-	if (!m_Eof) {
+	CloseInternal(false);
+}
+
+void TlsStream::CloseInternal(bool inDestructor)
+{
+	if (!m_Eof && !inDestructor) {
 		m_Eof = true;
 		SignalDataAvailable();
 	}
 
-	Stream::Close();
-
 	SocketEvents::Unregister();
 
-	boost::mutex::scoped_lock lock(m_Mutex);
+	Stream::Close();
 
+	boost::mutex::scoped_lock lock(m_Mutex);
 
 	if (!m_SSL)
 		return;

lib/base/tlsstream.hpp

@@ -99,6 +99,8 @@ private:
 
 	static int ValidateCertificate(int preverify_ok, X509_STORE_CTX *ctx);
 	static void NullCertificateDeleter(X509 *certificate);
+
+	void CloseInternal(bool inDestructor);
 };
 
 }

lib/remote/apilistener.cpp

@@ -321,6 +321,12 @@ void ApiListener::NewClientHandlerInternal(const Socket::Ptr& client, const Stri
 			return;
 		}
 
+		if (!hostname.IsEmpty() && identity != hostname) {
+			Log(LogInformation, "ApiListener")
+			    << "Unexpected certificate common name while connecting to endpoint '" << hostname << "': got '" << identity << "'";
+			return;
+		}
+
 		verify_ok = tlsStream->IsVerifyOK();
 
 		Log(LogInformation, "ApiListener")