Hi Denis,

On Fri, 23 Aug 2019 at 18:00, Denis Kenzior <denkenz@gmail.com> wrote:
> On 8/22/19 7:41 PM, Andrew Zaborowski wrote:
> > -     if (!cn)
> > +     if (cn)
> > +             for (i = mask; *i; i++)
> > +                     if (tls_domain_match_mask(cn, cn_len, *i, strlen(*i)))
> > +                             return true;
> > +
> > +     /*
> > +      * Locate SubjectAltName (RFC5280 Section 4.2.1.6) and descend into
> > +      * the sole SEQUENCE element, check if any DNSName matches.
> > +      */
>
> So I think the recommended approach is to check all SubjectAltName
> dNSName tags first.  And only then try to match the CN, no?

Maybe more optimal, so I can switch this around, although as far as
I've seen in HTTPS certificates the server name is usually right in
the CN.  The return value is going to be the same independent of the
order in which we do the checks.

Best regards