-The certificate matching functions are intended to be called to check
-if a certificate matches a given host name, email address, or IP
-address. The validity of the certificate and its trust level has to
-be checked by other means.
-
-X509_check_host() checks if the certificate matches the specified
-host name, which must be encoded in the preferred name syntax
-described in section 3.5 of RFC 1034. The B<namelen> argument must be
-the number of characters in the name string or zero in which case the
-length is calculated with strlen(name). When B<name> starts with
-a dot (e.g ".example.com"), it will be matched by a certificate
+The certificate matching functions are used to check whether a
+certificate matches a given host name, email address, or IP address.
+The validity of the certificate and its trust level has to be checked by
+other means.
+
+X509_check_host() checks if the certificate Subject Alternative
+Name (SAN) or Subject CommonName (CN) matches the specified host
+name, which must be encoded in the preferred name syntax described
+in section 3.5 of RFC 1034. By default, wildcards are supported
+and they match only in the left-most label; but they may match
+part of that label with an explicit prefix or suffix. For example,
+by default, the host B<name> "www.example.com" would match a
+certificate with a SAN or CN value of "*.example.com", "w*.example.com"
+or "*w.example.com".
+
+Per section 6.4.2 of RFC 6125, B<name> values representing international
+domain names must be given in A-label form. The B<namelen> argument
+must be the number of characters in the name string or zero in which
+case the length is calculated with strlen(B<name>). When B<name> starts
+with a dot (e.g ".example.com"), it will be matched by a certificate