One of the most common issues with TLS client applications is that they don't perform hostname verification or do it incorrectly (ignore SANs, handle wildcards incorrectly). As a result, often they will accept any certificate signed by any trusted CA. Given that acquiring a certificates can be completely free (even an email certificate will work), it's trivial to MitM such appplications.

I'd like to extend rpmlint to perform rudimentary checks to see if that happens[1].

A draft of the proposal to FPC is here: https://fedoraproject.org/wiki/User:Hkario/HostnameChecks

Suggestions?

1 - the check would be just "if call to A is present, check if call to B is present", the way setgid, setuid, setgroups is done, just generalised