=item B<X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT>,
+=item B<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT>,
+
=item B<X509_CHECK_FLAG_NO_WILDCARDS>,
=item B<X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS>,
address as appropriate); the default is to ignore the subject DN
when at least one corresponding subject alternative names is present.
+The B<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT> flag causes the function to never
+consider the subject DN even if the certificate contains no subject alternative
+names of the right type (DNS name or email address as appropriate); the default
+is to use the subject DN when no corresponding subject alternative names are
+present.
+
If set, B<X509_CHECK_FLAG_NO_WILDCARDS> disables wildcard
expansion; this only applies to B<X509_check_host>.