Skip CN DNS name constraint checks when not needed
Only check the CN against DNS name contraints if the `X509_CHECK_FLAG_NEVER_CHECK_SUBJECT` flag is not set, and either the certificate has no DNS subject alternative names or the `X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT` flag is set. Add pertinent documentation, and touch up some stale text about name checks and DANE. Reviewed-by:Matt Caswell <matt@openssl.org> Reviewed-by:
Tim Hudson <tjh@openssl.org>
Please register or sign in to comment