projects / openssl.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: d02d80b) | patch
Skip CN DNS name constraint checks when not needed
authorViktor Dukhovni <openssl-users@dukhovni.org>
Tue, 22 May 2018 05:09:25 +0000 (01:09 -0400)
committerViktor Dukhovni <openssl-users@dukhovni.org>
Wed, 23 May 2018 15:12:17 +0000 (11:12 -0400)
commit55a6250f1e7336e8a7d89fb609eb23398715ff6f
tree06575da5e57dc6bd8c1cef488c655df0e79cd4f5tree | snapshot
parentd02d80b2e80adfdde49f76cf7c7af4e013f45005commit | diff
Skip CN DNS name constraint checks when not needed

Only check the CN against DNS name contraints if the
`X509_CHECK_FLAG_NEVER_CHECK_SUBJECT` flag is not set, and either the
certificate has no DNS subject alternative names or the
`X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT` flag is set.

Add pertinent documentation, and touch up some stale text about
name checks and DANE.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
crypto/x509/x509_vfy.c diff | blob | history
crypto/x509v3/v3_ncons.c diff | blob | history
doc/man3/SSL_set1_host.pod diff | blob | history
doc/man3/X509_VERIFY_PARAM_set_flags.pod diff | blob | history
doc/man3/X509_check_host.pod diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.