Loading crypto/x509v3/v3_utl.c +2 −4 Original line number Diff line number Diff line Loading @@ -978,14 +978,12 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen, GENERAL_NAMES_free(gens); if (rv != 0) return rv; if (cnid == NID_undef || (san_present && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT))) if (san_present && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT)) return 0; } /* We're done if CN-ID is not pertinent */ if (cnid == NID_undef) if (cnid == NID_undef || (flags & X509_CHECK_FLAG_NEVER_CHECK_SUBJECT)) return 0; i = -1; Loading doc/crypto/X509_check_host.pod +8 −0 Original line number Diff line number Diff line Loading @@ -70,6 +70,8 @@ flags: =item B<X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT>, =item B<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT>, =item B<X509_CHECK_FLAG_NO_WILDCARDS>, =item B<X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS>, Loading @@ -86,6 +88,12 @@ one subject alternative name of the right type (DNS name or email address as appropriate); the default is to ignore the subject DN when at least one corresponding subject alternative names is present. The B<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT> flag causes the function to never consider the subject DN even if the certificate contains no subject alternative names of the right type (DNS name or email address as appropriate); the default is to use the subject DN when no corresponding subject alternative names are present. If set, B<X509_CHECK_FLAG_NO_WILDCARDS> disables wildcard expansion; this only applies to B<X509_check_host>. Loading include/openssl/x509v3.h +2 −0 Original line number Diff line number Diff line Loading @@ -737,6 +737,8 @@ STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x); # define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0x8 /* Constraint verifier subdomain patterns to match a single labels. */ # define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0x10 /* Never check the subject CN */ # define X509_CHECK_FLAG_NEVER_CHECK_SUBJECT 0x20 /* * Match reference identifiers starting with "." to any sub-domain. * This is a non-public flag, turned on implicitly when the subject Loading Loading
crypto/x509v3/v3_utl.c +2 −4 Original line number Diff line number Diff line Loading @@ -978,14 +978,12 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen, GENERAL_NAMES_free(gens); if (rv != 0) return rv; if (cnid == NID_undef || (san_present && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT))) if (san_present && !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT)) return 0; } /* We're done if CN-ID is not pertinent */ if (cnid == NID_undef) if (cnid == NID_undef || (flags & X509_CHECK_FLAG_NEVER_CHECK_SUBJECT)) return 0; i = -1; Loading
doc/crypto/X509_check_host.pod +8 −0 Original line number Diff line number Diff line Loading @@ -70,6 +70,8 @@ flags: =item B<X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT>, =item B<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT>, =item B<X509_CHECK_FLAG_NO_WILDCARDS>, =item B<X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS>, Loading @@ -86,6 +88,12 @@ one subject alternative name of the right type (DNS name or email address as appropriate); the default is to ignore the subject DN when at least one corresponding subject alternative names is present. The B<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT> flag causes the function to never consider the subject DN even if the certificate contains no subject alternative names of the right type (DNS name or email address as appropriate); the default is to use the subject DN when no corresponding subject alternative names are present. If set, B<X509_CHECK_FLAG_NO_WILDCARDS> disables wildcard expansion; this only applies to B<X509_check_host>. Loading
include/openssl/x509v3.h +2 −0 Original line number Diff line number Diff line Loading @@ -737,6 +737,8 @@ STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x); # define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0x8 /* Constraint verifier subdomain patterns to match a single labels. */ # define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0x10 /* Never check the subject CN */ # define X509_CHECK_FLAG_NEVER_CHECK_SUBJECT 0x20 /* * Match reference identifiers starting with "." to any sub-domain. * This is a non-public flag, turned on implicitly when the subject Loading
Dr. Stephen Henson <steve@openssl.org>Dr. Stephen Henson <steve@openssl.org>