Skip to content
Commit 6d3cfd13 authored by Viktor Dukhovni's avatar Viktor Dukhovni
Browse files

Skip CN DNS name constraint checks when not needed



Only check the CN against DNS name contraints if the
`X509_CHECK_FLAG_NEVER_CHECK_SUBJECT` flag is not set, and either the
certificate has no DNS subject alternative names or the
`X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT` flag is set.

Add pertinent documentation, and touch up some stale text about
name checks and DANE.

Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
parent c2c2c7b3
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment