Add X509_CHECK_FLAG_NEVER_CHECK_SUBJECT flag

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
author: Viktor Dukhovni <openssl-users@dukhovni.org> 2016-03-08 15:20:02 -0500
committer: Viktor Dukhovni <openssl-users@dukhovni.org> 2016-03-09 20:41:28 -0500
commit: dd60efea955e41a6f0926f93ec1503c6f83c4e58 (patch)
tree: 1068aa7ab94a6acca182698c0bfdca10ecf84286 /doc
parent: 29f082603a14bd8d6816a71a17f7c76adca7817d (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/doc/crypto/X509_check_host.pod b/doc/crypto/X509_check_host.pod
index 23447f41f2..d35ade8cb9 100644
--- a/doc/crypto/X509_check_host.pod
+++ b/doc/crypto/X509_check_host.pod
@@ -70,6 +70,8 @@ flags:
 
 =item B<X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT>,
 
+=item B<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT>,
+
 =item B<X509_CHECK_FLAG_NO_WILDCARDS>,
 
 =item B<X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS>,
@@ -86,6 +88,12 @@ one subject alternative name of the right type (DNS name or email
 address as appropriate); the default is to ignore the subject DN
 when at least one corresponding subject alternative names is present.
 
+The B<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT> flag causes the function to never
+consider the subject DN even if the certificate contains no subject alternative
+names of the right type (DNS name or email address as appropriate); the default
+is to use the subject DN when no corresponding subject alternative names are
+present.
+
 If set, B<X509_CHECK_FLAG_NO_WILDCARDS> disables wildcard
 expansion; this only applies to B<X509_check_host>.
author	Viktor Dukhovni <openssl-users@dukhovni.org>	2016-03-08 15:20:02 -0500
committer	Viktor Dukhovni <openssl-users@dukhovni.org>	2016-03-09 20:41:28 -0500
commit	dd60efea955e41a6f0926f93ec1503c6f83c4e58 (patch)
tree	1068aa7ab94a6acca182698c0bfdca10ecf84286 /doc
parent	29f082603a14bd8d6816a71a17f7c76adca7817d (diff)