When using ssl:connect with a server_name_indication option, the verify option set to verify_peer, and a custom verification fun (the one from the docs is sufficient), there is no code path that performs the hostname check (called from ssl_certificate:validate/3).
When no verify_fun is supplied, after all the extensions have been checked, and there is still a valid or valid_peer result, the ssl_certificate:validate/3 function is called, thus correctly performing a hostname check.
The hostname check was added in commit e9b0dbb4a95dbc8e328f08d6df6654dcbe13db09 but not added to the ssl_handshake:validation_fun_and_state/10 clause when a user verify function was supplied.
This issue can reproduced by performing an `ssl:connect` to wrong.host.badssl.com with that set as the server_name_indication field. Use a simple verify fun as follows, and set verify to verify_peer:
We've applied the following patch to get round the issue:
We noticed this in 20.1 but it is still an issue in master (where the above diff is from).