openssl: verbose: show matching SAN pattern

... to allow users to see which specfic wildcard that matched when such
is used.

Also minor logic cleanup to simplify the code, and I removed all tabs
from verbose strings.

lib/vtls/openssl.c

@@ -1024,8 +1024,7 @@ void Curl_ossl_close_all(struct SessionHandle *data)
 */
 static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)
 {
-  int matched = -1; /* -1 is no alternative match yet, 1 means match and 0
+  bool matched = FALSE;
-                       means mismatch */
   int target = GEN_DNS; /* target type, GEN_DNS or GEN_IPADD */
   size_t addrlen = 0;
   struct SessionHandle *data = conn->data;
@@ -1062,7 +1061,7 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)
     numalts = sk_GENERAL_NAME_num(altnames);
 
     /* loop through all alternatives while none has matched */
-    for(i=0; (i<numalts) && (matched != 1); i++) {
+    for(i=0; (i<numalts) && !matched; i++) {
       /* get a handle to alternative name number i */
       const GENERAL_NAME *check = sk_GENERAL_NAME_value(altnames, i);
 
@@ -1087,19 +1086,23 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)
           if((altlen == strlen(altptr)) &&
              /* if this isn't true, there was an embedded zero in the name
                 string and we cannot match it. */
-             Curl_cert_hostcheck(altptr, conn->host.name))
+             Curl_cert_hostcheck(altptr, conn->host.name)) {
-            matched = 1;
+            matched = TRUE;
-          else
+            infof(data,
-            matched = 0;
+                  " subjectAltName: host \"%s\" matched cert's \"%s\"\n",
+                  conn->host.dispname, altptr);
+          }
           break;
 
         case GEN_IPADD: /* IP address comparison */
           /* compare alternative IP address if the data chunk is the same size
              our server IP address is */
-          if((altlen == addrlen) && !memcmp(altptr, &addr, altlen))
+          if((altlen == addrlen) && !memcmp(altptr, &addr, altlen)) {
-            matched = 1;
+            matched = TRUE;
-          else
+            infof(data,
-            matched = 0;
+                  " subjectAltName: host \"%s\" matched cert's IP address!\n",
+                  conn->host.dispname);
+          }
           break;
         }
       }
@@ -1107,13 +1110,13 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)
     GENERAL_NAMES_free(altnames);
   }
 
-  if(matched == 1)
+  if(matched)
-    /* an alternative name matched the server hostname */
+    /* an alternative name matched */
-    infof(data, "\t subjectAltName: %s matched\n", conn->host.dispname);
+    ;
-  else if(matched == 0) {
+  else if(altnames) {
-    /* an alternative name field existed, but didn't match and then
+    /* an alternative name field existed, but didn't match and then we MUST
-       we MUST fail */
+       fail */
-    infof(data, "\t subjectAltName does not match %s\n", conn->host.dispname);
+    infof(data, " subjectAltName does not match %s\n", conn->host.dispname);
     failf(data, "SSL: no alternative certificate subject name matches "
           "target host name '%s'", conn->host.dispname);
     result = CURLE_PEER_FAILED_VERIFICATION;
@@ -1123,7 +1126,7 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)
        distinguished one to get the most significant one. */
     int j, i=-1;
 
-/* The following is done because of a bug in 0.9.6b */
+    /* The following is done because of a bug in 0.9.6b */
 
     unsigned char *nulstr = (unsigned char *)"";
     unsigned char *peer_CN = nulstr;
@@ -1195,7 +1198,7 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)
       result = CURLE_PEER_FAILED_VERIFICATION;
     }
     else {
-      infof(data, "\t common name: %s (matched)\n", peer_CN);
+      infof(data, " common name: %s (matched)\n", peer_CN);
     }
     if(peer_CN)
       OPENSSL_free(peer_CN);
@@ -2548,16 +2551,16 @@ static CURLcode servercert(struct connectdata *conn,
 
   rc = x509_name_oneline(X509_get_subject_name(connssl->server_cert),
                          buffer, BUFSIZE);
-  infof(data, "\t subject: %s\n", rc?"[NONE]":buffer);
+  infof(data, " subject: %s\n", rc?"[NONE]":buffer);
 
   ASN1_TIME_print(mem, X509_get_notBefore(connssl->server_cert));
   len = BIO_get_mem_data(mem, (char **) &ptr);
-  infof(data, "\t start date: %.*s\n", len, ptr);
+  infof(data, " start date: %.*s\n", len, ptr);
   rc = BIO_reset(mem);
 
   ASN1_TIME_print(mem, X509_get_notAfter(connssl->server_cert));
   len = BIO_get_mem_data(mem, (char **) &ptr);
-  infof(data, "\t expire date: %.*s\n", len, ptr);
+  infof(data, " expire date: %.*s\n", len, ptr);
   rc = BIO_reset(mem);
 
   BIO_free(mem);
@@ -2579,7 +2582,7 @@ static CURLcode servercert(struct connectdata *conn,
     result = CURLE_SSL_CONNECT_ERROR;
   }
   else {
-    infof(data, "\t issuer: %s\n", buffer);
+    infof(data, " issuer: %s\n", buffer);
 
     /* We could do all sorts of certificate verification stuff here before
        deallocating the certificate. */
@@ -2619,7 +2622,7 @@ static CURLcode servercert(struct connectdata *conn,
         return CURLE_SSL_ISSUER_ERROR;
       }
 
-      infof(data, "\t SSL certificate issuer check ok (%s)\n",
+      infof(data, " SSL certificate issuer check ok (%s)\n",
             data->set.str[STRING_SSL_ISSUERCERT]);
       X509_free(issuer);
     }
@@ -2637,12 +2640,12 @@ static CURLcode servercert(struct connectdata *conn,
         result = CURLE_PEER_FAILED_VERIFICATION;
       }
       else
-        infof(data, "\t SSL certificate verify result: %s (%ld),"
+        infof(data, " SSL certificate verify result: %s (%ld),"
               " continuing anyway.\n",
               X509_verify_cert_error_string(lerr), lerr);
     }
     else
-      infof(data, "\t SSL certificate verify ok.\n");
+      infof(data, " SSL certificate verify ok.\n");
   }
 
 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \