projects / oweals / openssl.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: c2c2c7b) | patch
Skip CN DNS name constraint checks when not needed
authorViktor Dukhovni <openssl-users@dukhovni.org>
Tue, 22 May 2018 18:46:02 +0000 (14:46 -0400)
committerViktor Dukhovni <openssl-users@dukhovni.org>
Wed, 23 May 2018 15:08:48 +0000 (11:08 -0400)
commit6d3cfd13a904a03fc3522da935136dcdd12e9014
tree9eac6b056b9bc2a5e5dfa19291d3c4a180f9aba1tree | snapshot
parentc2c2c7b3f1df94f9a447cc3cf8196579543cc57ecommit | diff
Skip CN DNS name constraint checks when not needed

Only check the CN against DNS name contraints if the
`X509_CHECK_FLAG_NEVER_CHECK_SUBJECT` flag is not set, and either the
certificate has no DNS subject alternative names or the
`X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT` flag is set.

Add pertinent documentation, and touch up some stale text about
name checks and DANE.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
crypto/x509/x509_vfy.c diff | blob | history
crypto/x509v3/v3_ncons.c diff | blob | history
doc/crypto/X509_VERIFY_PARAM_set_flags.pod diff | blob | history
doc/crypto/X509_check_host.pod diff | blob | history
doc/ssl/SSL_set1_host.pod diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.