From adb3cc5a5a93fb571676f6e19028c4fb2320b02a Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Mon, 2 Jul 2018 13:39:11 -0700
Subject: [PATCH 1/2] Subject Alt Name Matching 1. Added certificates for
 localhost where the CN and SAN match and differ. 2. Change subject name
 matching so the CN is checked if the SAN list doesn't exit, and only check
 the SAN list if present. 3. Added a test case for the CN/SAN mismatch. 4. Old
 matching behavior restored with build option WOLFSSL_ALLOW_NO_CN_IN_SAN. 5.
 Add test case for a correct certificate.

Note: The test for the garbage certificate should fail. If you enable the old behavior, that test case will start succeeding, causing the test to fail.
---
 certs/test/gen-testcerts.sh     |   6 +++
 certs/test/server-garbage.der   | Bin 0 -> 917 bytes
 certs/test/server-garbage.pem   |  75 ++++++++++++++++++++++++++++++++
 certs/test/server-localhost.der | Bin 0 -> 919 bytes
 certs/test/server-localhost.pem |  75 ++++++++++++++++++++++++++++++++
 src/internal.c                  |  24 ++++++++++
 tests/test-fails.conf           |  14 ++++++
 tests/test.conf                 |  12 +++++
 8 files changed, 206 insertions(+)
 create mode 100644 certs/test/server-garbage.der
 create mode 100644 certs/test/server-garbage.pem
 create mode 100644 certs/test/server-localhost.der
 create mode 100644 certs/test/server-localhost.pem

diff --git a/certs/test/gen-testcerts.sh b/certs/test/gen-testcerts.sh
index 634b62166..f07721c42 100755
--- a/certs/test/gen-testcerts.sh
+++ b/certs/test/gen-testcerts.sh
@@ -95,3 +95,9 @@ generate_test_cert server-badaltnull www.nomatch.com DER:30:0d:82:0b:6c:6f:63:61
 
 # Generate Bad Alt Name CN=www.nomatch.com, Alt=www.nomatch.com
 generate_test_cert server-badaltname www.nomatch.com www.nomatch.com
+
+# Generate Good Alt Name CN=localhost, Alt=localhost
+generate_test_cert server-localhost localhost localhost
+
+# Generate Bad Alt Name CN=localhost, Alt=garbage
+generate_test_cert server-garbage localhost garbage
diff --git a/certs/test/server-garbage.der b/certs/test/server-garbage.der
new file mode 100644
index 0000000000000000000000000000000000000000..febc7b770d194b10bd76ee0b30ce2b94ab198741
GIT binary patch
literal 917
zcmXqLVxDNw#8kO}nTe5!iIbu4#$t|R77K41@Un4gwRyCC=VfH%W@Rv_G2}MjWMd9x
zVH0Kw4K@@o-~(|uc-VdO^GXu)5@90jJnT;SRjIj&d4?heLLfEVJlw8%>6v+{sYRK2
z>4riE0w7Ul9?qQn<iwne{NfTrc>`IvZJdl^0-1Sf`3~jzIcdekIeN+Yxdw9LyoMGA
zW=7_QmZru=22tX?MurB)M#fO?0K2Y<Q3*M?7+D#Zn;7{S44N3Zn3@<F84gV4co^>Z
zsW5l@C09pv#?)i3>ptyKG1xKnoW9?+Z!#TwYUcl5kzW5VW=>$~_pVdy&rS9FAMUL_
zpkK2(Wrg^kQ?b>%9w<I7(#zLtyD_!+)*9*Ho$>b9C3#i-A0{UUc5|oLuXWzBR3^q`
z^E!qF$w$A{b4O-W6ff(MSjm*T{;(vY-VTAs$Idux$z1GaoY|gtWViUT&oAz-E#6bD
zuekMZS|HEfkj)Qs<7M_J7hmLL?i9HsuruYb)`f-By!Jf2A{Bjn!GVLx75pyd21e5w
zjFhJ?EZ-%3X?pRaSk;qRyoW6lmTcLO>Ey)u@&?BqV};ETO3PQhKJxHcV)M~U)9&BA
z;J@}d6Eh<N<6<!bNP>_RWZ^d8Y+_GOEJ{jDPel$nZg9vkGK81!TwK<y^-+K)g^6qJ
z%(hUCCkGlAt^Bk;*JJNeCQrt2;}xyp-%@*|80#zf*GpVla-Uhm!@;QVhl}W@v%wdF
zo8-?jFU|PIF)M0$ocE+vcipaNA8c&CUuwH&Q;PHakC)8PY{)C!qBCDcN}PrFV8hDU
zDaW>~V%!vErf`e1p?>o9z<sL@MudI0<_Vs8xMXGu|KnQk3Y9*NGSOC11E;LihOfFy
zzua8qBouQt<M{I(t`l_b2Bog+6v>NHw-I1nCzkq$MJSD3IO*AP);6)ID%&}QVds~)
yf350@+P(OyyXxKpm)0t+kGyte+R6>AUo4J?xk+A?Hkj|Gw<NN==-Kk-nZf|*u2Ap*

literal 0
HcmV?d00001

diff --git a/certs/test/server-garbage.pem b/certs/test/server-garbage.pem
new file mode 100644
index 000000000..7ab2aaf5e
--- /dev/null
+++ b/certs/test/server-garbage.pem
@@ -0,0 +1,75 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            8e:d8:a3:08:c6:38:a1:db
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = localhost, emailAddress = info@wolfssl.com
+        Validity
+            Not Before: Jun 27 19:53:20 2018 GMT
+            Not After : Mar 23 19:53:20 2021 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = localhost, emailAddress = info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:c0:95:08:e1:57:41:f2:71:6d:b7:d2:45:41:27:
+                    01:65:c6:45:ae:f2:bc:24:30:b8:95:ce:2f:4e:d6:
+                    f6:1c:88:bc:7c:9f:fb:a8:67:7f:fe:5c:9c:51:75:
+                    f7:8a:ca:07:e7:35:2f:8f:e1:bd:7b:c0:2f:7c:ab:
+                    64:a8:17:fc:ca:5d:7b:ba:e0:21:e5:72:2e:6f:2e:
+                    86:d8:95:73:da:ac:1b:53:b9:5f:3f:d7:19:0d:25:
+                    4f:e1:63:63:51:8b:0b:64:3f:ad:43:b8:a5:1c:5c:
+                    34:b3:ae:00:a0:63:c5:f6:7f:0b:59:68:78:73:a6:
+                    8c:18:a9:02:6d:af:c3:19:01:2e:b8:10:e3:c6:cc:
+                    40:b4:69:a3:46:33:69:87:6e:c4:bb:17:a6:f3:e8:
+                    dd:ad:73:bc:7b:2f:21:b5:fd:66:51:0c:bd:54:b3:
+                    e1:6d:5f:1c:bc:23:73:d1:09:03:89:14:d2:10:b9:
+                    64:c3:2a:d0:a1:96:4a:bc:e1:d4:1a:5b:c7:a0:c0:
+                    c1:63:78:0f:44:37:30:32:96:80:32:23:95:a1:77:
+                    ba:13:d2:97:73:e2:5d:25:c9:6a:0d:c3:39:60:a4:
+                    b4:b0:69:42:42:09:e9:d8:08:bc:33:20:b3:58:22:
+                    a7:aa:eb:c4:e1:e6:61:83:c5:d2:96:df:d9:d0:4f:
+                    ad:d7
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                DNS:garbage
+    Signature Algorithm: sha256WithRSAEncryption
+         57:77:b9:a3:76:83:2a:f1:10:0c:64:02:0a:ad:99:86:55:28:
+         e4:c0:81:a2:a9:f2:af:6d:48:bd:a5:02:49:01:57:33:a8:85:
+         57:f6:65:8c:1a:01:7f:79:0f:af:18:d2:a4:df:03:14:48:40:
+         32:71:f8:44:15:b2:cd:53:d0:53:82:1f:cd:03:a5:68:f6:08:
+         9a:5a:a7:5e:4b:92:aa:dd:46:d4:2b:c1:81:83:df:75:3d:bc:
+         b2:64:43:9f:f1:d2:37:cc:b0:6e:75:b4:2c:9f:1c:1a:17:04:
+         0d:c1:80:a9:9b:64:c6:b4:aa:01:b2:5a:36:20:da:09:80:7f:
+         93:d7:51:be:aa:c1:58:56:f7:3b:0c:53:99:c3:74:99:64:0f:
+         e3:7d:4b:78:24:8e:08:76:15:85:15:30:42:6a:65:80:f5:2d:
+         a5:f4:d9:aa:42:12:5c:cd:68:c7:e7:b8:45:90:2c:dd:52:65:
+         ae:89:14:6e:5a:27:3c:10:05:ae:16:65:fc:04:12:66:07:13:
+         62:e6:a7:05:86:16:5a:7a:3d:9c:71:56:cf:a4:47:f5:7a:8a:
+         5a:bb:a3:d5:47:25:bd:c0:d2:ad:22:af:59:d6:d4:96:a9:b0:
+         05:f4:38:c7:56:46:19:d5:1b:30:9f:46:2e:a4:59:8b:72:e6:
+         a7:83:99:13
+-----BEGIN CERTIFICATE-----
+MIIDkTCCAnmgAwIBAgIJAI7YowjGOKHbMA0GCSqGSIb3DQEBCwUAMHwxCzAJBgNV
+BAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRQwEgYD
+VQQLDAtFbmdpbmVlcmluZzESMBAGA1UEAwwJbG9jYWxob3N0MR8wHQYJKoZIhvcN
+AQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTE4MDYyNzE5NTMyMFoXDTIxMDMyMzE5
+NTMyMFowfDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcM
+B0JvemVtYW4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMRIwEAYDVQQDDAlsb2NhbGhv
+c3QxHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDAlQjhV0HycW230kVBJwFlxkWu8rwkMLiVzi9O
+1vYciLx8n/uoZ3/+XJxRdfeKygfnNS+P4b17wC98q2SoF/zKXXu64CHlci5vLobY
+lXParBtTuV8/1xkNJU/hY2NRiwtkP61DuKUcXDSzrgCgY8X2fwtZaHhzpowYqQJt
+r8MZAS64EOPGzEC0aaNGM2mHbsS7F6bz6N2tc7x7LyG1/WZRDL1Us+FtXxy8I3PR
+CQOJFNIQuWTDKtChlkq84dQaW8egwMFjeA9ENzAyloAyI5Whd7oT0pdz4l0lyWoN
+wzlgpLSwaUJCCenYCLwzILNYIqeq68Th5mGDxdKW39nQT63XAgMBAAGjFjAUMBIG
+A1UdEQQLMAmCB2dhcmJhZ2UwDQYJKoZIhvcNAQELBQADggEBAFd3uaN2gyrxEAxk
+AgqtmYZVKOTAgaKp8q9tSL2lAkkBVzOohVf2ZYwaAX95D68Y0qTfAxRIQDJx+EQV
+ss1T0FOCH80DpWj2CJpap15LkqrdRtQrwYGD33U9vLJkQ5/x0jfMsG51tCyfHBoX
+BA3BgKmbZMa0qgGyWjYg2gmAf5PXUb6qwVhW9zsMU5nDdJlkD+N9S3gkjgh2FYUV
+MEJqZYD1LaX02apCElzNaMfnuEWQLN1SZa6JFG5aJzwQBa4WZfwEEmYHE2LmpwWG
+Flp6PZxxVs+kR/V6ilq7o9VHJb3A0q0ir1nW1JapsAX0OMdWRhnVGzCfRi6kWYty
+5qeDmRM=
+-----END CERTIFICATE-----
diff --git a/certs/test/server-localhost.der b/certs/test/server-localhost.der
new file mode 100644
index 0000000000000000000000000000000000000000..22c2780088fecfa24aa3c8ede539a6834dba8f39
GIT binary patch
literal 919
zcmXqLVxDZ!#8kb2nTe5!iId@R-Fr9R6N^_H@Un4gwRyCC=VfH%W@Rv_G2}MjWMd9x
zVH0Kw4K@@o-~(|uc-VdO^GXu)5@90jJnT;SRjIj&d4?heLLfEVJlw8%>6v+{sYRK2
z>4riE0w7Ul9?qQn<iwne{NfTrc>`IvZJdl^0-1Sf`3~jzIcdekIeN+Yxdw9LyoMGA
zW=7_QmZru=22tX?MurB)M#fO?0K2Y<Q3*M?7+D#Zn;7{S44N3Zn3@<F84gV4co^>Z
zsW5l@C09pv#?)i3>ptyKG1xKnoW9?+Z!#TwYUcl5kzW5VW=>$~_pVdy&rS9FAMUL_
zpkK2(Wrg^kQ?b>%9w<I7(#zLtyD_!+)*9*Ho$>b9C3#i-A0{UUc5|oLuXWzBR3^q`
z^E!qF$w$A{b4O-W6ff(MSjm*T{;(vY-VTAs$Idux$z1GaoY|gtWViUT&oAz-E#6bD
zuekMZS|HEfkj)Qs<7M_J7hmLL?i9HsuruYb)`f-By!Jf2A{Bjn!GVLx75pyd21e5w
zjFhJ?EZ-%3X?pRaSk;qRyoW6lmTcLO>Ey)u@&?BqV};ETO3PQhKJxHcV)M~U)9&BA
z;J@}d6Eh<N<6;Q|F#{1c=1^Hd7G4AHCPefjhaERK>=+qLrHW=I9w^|B7fSzC@|98h
zQdIf;33s1p-`akMX@aS)<Lbw^7iS7FJU>&Ix3O_<`D}fEu0ZDN?5_V3>*W7zi}bYQ
z5-d)hvdnJ9m9?^yf5o4F|0_tjz542|uqjT9SrfNDU3=(K=O&((iw4)O$7pTW{OG&$
zRQ*Gr|7%uCo6mLlbvnrPo~-7pM2j_NEP37D{qN*I)v@EFMvhK={z3JCr&fyllG&H<
z+|w!X?bG7eurLXubGAz?<m`)VgbKblm$<w?nfY(-o0vyeH1mt^OE^nRTzLI%xsv0j
x@20Zu2Hy65?;gY#nOPkV5#Ghe|Ac$X6TM%FW?#Kc-B+-A{+b<sXwk&hn*g2ST5|vZ

literal 0
HcmV?d00001

diff --git a/certs/test/server-localhost.pem b/certs/test/server-localhost.pem
new file mode 100644
index 000000000..817e2fbdd
--- /dev/null
+++ b/certs/test/server-localhost.pem
@@ -0,0 +1,75 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            e3:7e:ef:46:4d:c8:a3:ab
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = localhost, emailAddress = info@wolfssl.com
+        Validity
+            Not Before: Jun 27 19:53:20 2018 GMT
+            Not After : Mar 23 19:53:20 2021 GMT
+        Subject: C = US, ST = Montana, L = Bozeman, OU = Engineering, CN = localhost, emailAddress = info@wolfssl.com
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:c0:95:08:e1:57:41:f2:71:6d:b7:d2:45:41:27:
+                    01:65:c6:45:ae:f2:bc:24:30:b8:95:ce:2f:4e:d6:
+                    f6:1c:88:bc:7c:9f:fb:a8:67:7f:fe:5c:9c:51:75:
+                    f7:8a:ca:07:e7:35:2f:8f:e1:bd:7b:c0:2f:7c:ab:
+                    64:a8:17:fc:ca:5d:7b:ba:e0:21:e5:72:2e:6f:2e:
+                    86:d8:95:73:da:ac:1b:53:b9:5f:3f:d7:19:0d:25:
+                    4f:e1:63:63:51:8b:0b:64:3f:ad:43:b8:a5:1c:5c:
+                    34:b3:ae:00:a0:63:c5:f6:7f:0b:59:68:78:73:a6:
+                    8c:18:a9:02:6d:af:c3:19:01:2e:b8:10:e3:c6:cc:
+                    40:b4:69:a3:46:33:69:87:6e:c4:bb:17:a6:f3:e8:
+                    dd:ad:73:bc:7b:2f:21:b5:fd:66:51:0c:bd:54:b3:
+                    e1:6d:5f:1c:bc:23:73:d1:09:03:89:14:d2:10:b9:
+                    64:c3:2a:d0:a1:96:4a:bc:e1:d4:1a:5b:c7:a0:c0:
+                    c1:63:78:0f:44:37:30:32:96:80:32:23:95:a1:77:
+                    ba:13:d2:97:73:e2:5d:25:c9:6a:0d:c3:39:60:a4:
+                    b4:b0:69:42:42:09:e9:d8:08:bc:33:20:b3:58:22:
+                    a7:aa:eb:c4:e1:e6:61:83:c5:d2:96:df:d9:d0:4f:
+                    ad:d7
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                DNS:localhost
+    Signature Algorithm: sha256WithRSAEncryption
+         35:1a:72:99:61:c0:70:0b:5f:12:67:fa:74:f5:01:2b:d2:5a:
+         77:9f:90:dd:e4:2b:da:b7:dc:02:90:35:2d:41:ab:e3:db:a3:
+         69:12:00:e7:cc:71:6e:b1:81:9d:77:9b:2f:4f:0a:51:03:d7:
+         07:45:fe:61:7e:1f:fc:b6:59:49:39:0a:11:73:63:94:a6:3e:
+         a8:d4:ad:1d:93:fa:5f:cf:ef:fa:52:23:87:7b:d5:ba:56:94:
+         42:a3:05:61:b5:e5:ad:c2:d2:89:b2:0c:84:d1:30:d6:d7:5c:
+         2a:b7:29:f1:4d:b9:ca:7f:e1:4c:ff:ac:a9:1b:37:9d:40:fa:
+         cb:52:45:de:1d:29:ea:61:38:ac:cc:39:0d:46:ee:ff:89:0f:
+         ca:88:b8:f1:28:6c:2c:5f:6f:c1:27:50:e5:3a:21:be:63:07:
+         a7:b9:bc:89:18:f6:f2:a3:5d:56:56:18:32:ce:3d:a4:38:1e:
+         3f:72:3c:12:70:f7:83:74:44:ef:c9:69:fe:9d:ec:5c:e2:d4:
+         29:6f:73:df:18:43:18:91:a1:d7:dd:77:22:41:f2:f7:35:1d:
+         47:30:4b:3f:4e:ee:e0:5f:72:36:3a:c7:54:13:ba:0e:0f:e4:
+         0b:b4:e4:2e:fa:61:36:f5:4b:35:47:a8:06:49:fa:9b:5f:c2:
+         a2:91:85:d9
+-----BEGIN CERTIFICATE-----
+MIIDkzCCAnugAwIBAgIJAON+70ZNyKOrMA0GCSqGSIb3DQEBCwUAMHwxCzAJBgNV
+BAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMRQwEgYD
+VQQLDAtFbmdpbmVlcmluZzESMBAGA1UEAwwJbG9jYWxob3N0MR8wHQYJKoZIhvcN
+AQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTE4MDYyNzE5NTMyMFoXDTIxMDMyMzE5
+NTMyMFowfDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcM
+B0JvemVtYW4xFDASBgNVBAsMC0VuZ2luZWVyaW5nMRIwEAYDVQQDDAlsb2NhbGhv
+c3QxHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQDAlQjhV0HycW230kVBJwFlxkWu8rwkMLiVzi9O
+1vYciLx8n/uoZ3/+XJxRdfeKygfnNS+P4b17wC98q2SoF/zKXXu64CHlci5vLobY
+lXParBtTuV8/1xkNJU/hY2NRiwtkP61DuKUcXDSzrgCgY8X2fwtZaHhzpowYqQJt
+r8MZAS64EOPGzEC0aaNGM2mHbsS7F6bz6N2tc7x7LyG1/WZRDL1Us+FtXxy8I3PR
+CQOJFNIQuWTDKtChlkq84dQaW8egwMFjeA9ENzAyloAyI5Whd7oT0pdz4l0lyWoN
+wzlgpLSwaUJCCenYCLwzILNYIqeq68Th5mGDxdKW39nQT63XAgMBAAGjGDAWMBQG
+A1UdEQQNMAuCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAQEANRpymWHAcAtf
+Emf6dPUBK9Jad5+Q3eQr2rfcApA1LUGr49ujaRIA58xxbrGBnXebL08KUQPXB0X+
+YX4f/LZZSTkKEXNjlKY+qNStHZP6X8/v+lIjh3vVulaUQqMFYbXlrcLSibIMhNEw
+1tdcKrcp8U25yn/hTP+sqRs3nUD6y1JF3h0p6mE4rMw5DUbu/4kPyoi48ShsLF9v
+wSdQ5TohvmMHp7m8iRj28qNdVlYYMs49pDgeP3I8EnD3g3RE78lp/p3sXOLUKW9z
+3xhDGJGh1913IkHy9zUdRzBLP07u4F9yNjrHVBO6Dg/kC7TkLvphNvVLNUeoBkn6
+m1/CopGF2Q==
+-----END CERTIFICATE-----
diff --git a/src/internal.c b/src/internal.c
index dd60f7d18..c71dc311f 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -9158,6 +9158,29 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                 }
 
                 if (!ssl->options.verifyNone && ssl->buffers.domainName.buffer) {
+                #ifndef WOLFSSL_ALLOW_NO_CN_IN_SAN
+                    /* Per RFC 5280 section 4.2.1.6, "Whenever such identities
+                     * are to be bound into a certificate, the subject
+                     * alternative name extension MUST be used." */
+                    if (args->dCert->altNames) {
+                        if (CheckAltNames(args->dCert,
+                                (char*)ssl->buffers.domainName.buffer) == 0 ) {
+                            WOLFSSL_MSG("DomainName match on alt names failed");
+                            /* try to get peer key still */
+                            ret = DOMAIN_NAME_MISMATCH;
+                        }
+                    }
+                    else {
+                        if (MatchDomainName(
+                                 args->dCert->subjectCN,
+                                 args->dCert->subjectCNLen,
+                                 (char*)ssl->buffers.domainName.buffer) == 0) {
+                            WOLFSSL_MSG("DomainName match on common name failed");
+                            ret = DOMAIN_NAME_MISMATCH;
+                        }
+                    }
+                #else /* WOLFSSL_ALL_NO_CN_IN_SAN */
+                    /* Old behavior. */
                     if (MatchDomainName(args->dCert->subjectCN,
                                 args->dCert->subjectCNLen,
                                 (char*)ssl->buffers.domainName.buffer) == 0) {
@@ -9170,6 +9193,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                             ret = DOMAIN_NAME_MISMATCH;
                         }
                     }
+                #endif /* WOLFSSL_ALL_NO_CN_IN_SAN */
                 }
 
                 /* decode peer key */
diff --git a/tests/test-fails.conf b/tests/test-fails.conf
index e9fda3021..1c8f6e5ef 100644
--- a/tests/test-fails.conf
+++ b/tests/test-fails.conf
@@ -94,3 +94,17 @@
 # client ECC bad sig error
 -v 3
 -l ECDHE-ECDSA-AES128-GCM-SHA256
+
+# server missing CN from alternate names list
+-v 3
+-l ECDHE-RSA-AES128-GCM-SHA256
+-c ./certs/test/server-garbage.pem
+
+# client missing CN from alternate names list
+-v 3
+-l ECDHE-RSA-AES128-GCM-SHA256
+-h localhost
+-A ./certs/test/server-garbage.pem
+-m
+-X
+
diff --git a/tests/test.conf b/tests/test.conf
index 2bee587ae..b1b8fe9fb 100644
--- a/tests/test.conf
+++ b/tests/test.conf
@@ -2306,3 +2306,15 @@
 -A ./certs/test/server-goodaltwild.pem
 -m
 -C
+
+# server CN in alternate names list
+-v 3
+-l ECDHE-RSA-AES128-GCM-SHA256
+-c ./certs/test/server-localhost.pem
+
+# client CN in alternate names list
+-v 3
+-l ECDHE-RSA-AES128-GCM-SHA256
+-h localhost
+-A ./certs/test/server-localhost.pem
+-m

From 239880a9de714e0a8f2dc1a97a18296cbb91735c Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Tue, 10 Jul 2018 17:07:48 -0700
Subject: [PATCH 2/2] Subject Alt Name Matching 1. Removed an external test tag
 from a failure test case. Ends up leaving a thread still running on exit.

---
 tests/test-fails.conf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/tests/test-fails.conf b/tests/test-fails.conf
index 1c8f6e5ef..e41fcd35e 100644
--- a/tests/test-fails.conf
+++ b/tests/test-fails.conf
@@ -106,5 +106,4 @@
 -h localhost
 -A ./certs/test/server-garbage.pem
 -m
--X