>> When you see a name like "example.com" in the CN, its usually a CA >> including a domain name and not a hostname. > > That's nonsense. If a certificate is issued under CA/B policies, and CN=example.com but it _lacks_ SAN=example.com, then its a not a hostname and it should not be matched. I'm aware of OpenSSL's behavior in the matter. But OpenSSL does not understand issuing policies so its easy to confuse. Forgive me if OpenSSL is now imbued with knowledge of issuing policies and how matching should occur outside of the RFCs. Jeff -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
