commit | 55a6250f1e7336e8a7d89fb609eb23398715ff6f | [log] [tgz] |
---|---|---|
author | Viktor Dukhovni <openssl-users@dukhovni.org> | Tue May 22 01:09:25 2018 -0400 |
committer | Viktor Dukhovni <openssl-users@dukhovni.org> | Wed May 23 11:12:17 2018 -0400 |
tree | 06575da5e57dc6bd8c1cef488c655df0e79cd4f5 | |
parent | d02d80b2e80adfdde49f76cf7c7af4e013f45005 [diff] |
Skip CN DNS name constraint checks when not needed Only check the CN against DNS name contraints if the `X509_CHECK_FLAG_NEVER_CHECK_SUBJECT` flag is not set, and either the certificate has no DNS subject alternative names or the `X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT` flag is set. Add pertinent documentation, and touch up some stale text about name checks and DANE. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>