Skip CN DNS name constraint checks when not needed (55a6250f) · Commits · CYBER - Cyber Security / TS 103 523 MSP / ETS / ETS OpenSSL

Commit 55a6250f authored May 22, 2018 by

Viktor Dukhovni

Skip CN DNS name constraint checks when not needed



Only check the CN against DNS name contraints if the
`X509_CHECK_FLAG_NEVER_CHECK_SUBJECT` flag is not set, and either the
certificate has no DNS subject alternative names or the
`X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT` flag is set.

Add pertinent documentation, and touch up some stale text about
name checks and DANE.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>

parent d02d80b2

Hide whitespace changes

Inline Side-by-side

Please register or to comment