I asked about Common Names regarding IDNA:
http://www.mail-archive.com/openssl-dev@openssl.org/msg17603.html

and got some conflicting answers, but I think libcurl does the right
thing by comparing 'peer'_CN' against 'conn->host.name'. Not sure
about the ASN1_STRING_to_UTF8() wrt. IDNA. Until I find an ACE-host
with a certificate, I'll leave it.

I have some other patches:

* Tracing of SSL/TLS handshake is handy with "curl --trace". Found
some problems with some https sites this way.

* Print the details of the CERT-problem from OpenSSL; "certificate expired"
or similar.

* If SSL_connect() fails and ERR_get_error() is 0, the problem is with the
socket-state itself. But OpenSSL seems to clear the errno so using SO_ERROR
isn't any help. This can happen e.g. if we request a SSLv2 method and the
host doesn't like us, it simply resets the connection. Verify with
curl --sslv2 https://www.thawte.com/ucgi/browsercheck.exe

So printing "Unknown SSL protocol error in connection to .." is better than
is now.

--gv