Add X509_CHECK_FLAG_NEVER_CHECK_SUBJECT flag

[openssl.git] / doc / crypto / X509_check_host.pod

diff --git a/doc/crypto/X509_check_host.pod b/doc/crypto/X509_check_host.pod
index 23447f41f205c2627636297d3e594fcd8282ffb3..d35ade8cb918b66f4e964fd456f6e1932a8fb622 100644 (file)
--- a/doc/crypto/X509_check_host.pod
+++ b/doc/crypto/X509_check_host.pod
@@ -70,6 +70,8 @@ flags:
 
 =item B<X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT>,
 
+=item B<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT>,
+
 =item B<X509_CHECK_FLAG_NO_WILDCARDS>,
 
 =item B<X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS>,
@@ -86,6 +88,12 @@ one subject alternative name of the right type (DNS name or email
 address as appropriate); the default is to ignore the subject DN
 when at least one corresponding subject alternative names is present.
 
+The B<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT> flag causes the function to never
+consider the subject DN even if the certificate contains no subject alternative
+names of the right type (DNS name or email address as appropriate); the default
+is to use the subject DN when no corresponding subject alternative names are
+present.
+
 If set, B<X509_CHECK_FLAG_NO_WILDCARDS> disables wildcard
 expansion; this only applies to B<X509_check_host>.