require Host if SSL is used despite Tunnel

src/mbsync.1

@@ -238,8 +238,9 @@ Define the IMAP4 Account \fIname\fR, opening a section for its parameters.
 \fBHost\fR \fIhost\fR
 Specify the DNS name or IP address of the IMAP server.
 .br
-If \fBTunnel\fR is used, this setting is used only for SSL host certificate
-verification, if provided.
+If \fBTunnel\fR is used, this setting is needed only if \fBSSLType\fR is
+not \fINone\fR and \fBCertificateFile\fR is not used,
+in which case the host name is used for certificate subject verification.
 ..
 .TP
 \fBPort\fR \fIport\fR

src/socket.c

@@ -177,8 +177,10 @@ verify_cert_host( const server_conf_t *conf, conn_t *sock )
 		return -1;
 	}
 
-	if (!conf->host)
-		return 0; /* SSL on top of a tunnel, no host specified. */
+	if (!conf->host) {
+		error( "SSL error connecting %s: Neither host nor matching certificate specified\n", sock->name );
+		return -1;
+	}
 
 	return verify_hostname( cert, conf->host );
 }