From a0dd92234bb1c058decdd76b2712601e5e662c11 Mon Sep 17 00:00:00 2001
From: Stanislav Klima <sklima@ra.rockwell.com>
Date: Tue, 14 Jun 2022 13:37:49 +0200
Subject: [PATCH 1/3] draft

---
 src/internal.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/internal.c b/src/internal.c
index f329b01cb..8364f3edf 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -10500,6 +10500,7 @@ int CheckHostName(DecodedCert* dCert, const char *domainName, size_t domainNameL
         ret = 0;
     }
 
+#ifndef ONLY_ALT_NAME_VERIFICATION
     if (checkCN == 1) {
         if (MatchDomainName(dCert->subjectCN, dCert->subjectCNLen,
                             domainName) == 1) {
@@ -10509,6 +10510,7 @@ int CheckHostName(DecodedCert* dCert, const char *domainName, size_t domainNameL
             WOLFSSL_MSG("DomainName match on common name failed");
         }
     }
+#endif /* #ifndef ONLY_ALT_NAME_VERIFICATION */
 
     return ret;
 }
@@ -11333,6 +11335,7 @@ int DoVerifyCallback(WOLFSSL_CERT_MANAGER* cm, WOLFSSL* ssl, int ret,
                     }
                 }
             }
+        #ifndef ONLY_ALT_NAME_VERIFICATION
             else {
                 if (args->dCert->subjectCN) {
                     if (MatchDomainName(args->dCert->subjectCN,
@@ -11344,6 +11347,13 @@ int DoVerifyCallback(WOLFSSL_CERT_MANAGER* cm, WOLFSSL* ssl, int ret,
                     }
                 }
             }
+        #else /* #ifndef ONLY_ALT_NAME_VERIFICATION */
+            else {
+                if (ret == 0) {
+                    ret = DOMAIN_NAME_MISMATCH;
+                }
+            }
+        #endif /* #ifndef ONLY_ALT_NAME_VERIFICATION */
         }
 
         /* perform IP address check on the peer certificate */

From 7c827d3a82f112498dc82a8b72c3b0e447f3a9d9 Mon Sep 17 00:00:00 2001
From: Stanislav Klima <sklima@ra.rockwell.com>
Date: Mon, 20 Jun 2022 11:27:09 +0200
Subject: [PATCH 2/3] requested review changes

---
 src/internal.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index 8364f3edf..c49136969 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -72,6 +72,9 @@
  *     less). On the other hand, if a valid SessionID is collected, forged
  *     clientHello messages will consume resources on the server.
  *     This define is turned off by default.
+ * WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY
+ *     Certificates without SAN will get rejected during handshake instead of
+ *     trying to match hostname or IP address with subject common name.
  */
 
 
@@ -10500,7 +10503,7 @@ int CheckHostName(DecodedCert* dCert, const char *domainName, size_t domainNameL
         ret = 0;
     }
 
-#ifndef ONLY_ALT_NAME_VERIFICATION
+#ifndef WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY
     if (checkCN == 1) {
         if (MatchDomainName(dCert->subjectCN, dCert->subjectCNLen,
                             domainName) == 1) {
@@ -10510,7 +10513,7 @@ int CheckHostName(DecodedCert* dCert, const char *domainName, size_t domainNameL
             WOLFSSL_MSG("DomainName match on common name failed");
         }
     }
-#endif /* #ifndef ONLY_ALT_NAME_VERIFICATION */
+#endif /* # !WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY */
 
     return ret;
 }
@@ -11335,7 +11338,7 @@ int DoVerifyCallback(WOLFSSL_CERT_MANAGER* cm, WOLFSSL* ssl, int ret,
                     }
                 }
             }
-        #ifndef ONLY_ALT_NAME_VERIFICATION
+        #ifndef WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY
             else {
                 if (args->dCert->subjectCN) {
                     if (MatchDomainName(args->dCert->subjectCN,
@@ -11353,7 +11356,7 @@ int DoVerifyCallback(WOLFSSL_CERT_MANAGER* cm, WOLFSSL* ssl, int ret,
                     ret = DOMAIN_NAME_MISMATCH;
                 }
             }
-        #endif /* #ifndef ONLY_ALT_NAME_VERIFICATION */
+        #endif /* !WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY */
         }
 
         /* perform IP address check on the peer certificate */

From ce977e8c0b2381471bed238f70032b1d1f3c7707 Mon Sep 17 00:00:00 2001
From: Stanislav Klima <sklima@ra.rockwell.com>
Date: Fri, 24 Jun 2022 15:37:10 +0200
Subject: [PATCH 3/3] requested review changes 2

---
 src/internal.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index c49136969..113af531c 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -73,8 +73,9 @@
  *     clientHello messages will consume resources on the server.
  *     This define is turned off by default.
  * WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY
- *     Certificates without SAN will get rejected during handshake instead of
- *     trying to match hostname or IP address with subject common name.
+ *     Verify hostname/ip address using alternate name (SAN) only and do not
+ *     use the common name. Forces use of the alternate name, so certificates
+ *     missing SAN will be rejected during the handshake
  */
 
 
@@ -10513,7 +10514,7 @@ int CheckHostName(DecodedCert* dCert, const char *domainName, size_t domainNameL
             WOLFSSL_MSG("DomainName match on common name failed");
         }
     }
-#endif /* # !WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY */
+#endif /* !WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY */
 
     return ret;
 }
@@ -11350,7 +11351,7 @@ int DoVerifyCallback(WOLFSSL_CERT_MANAGER* cm, WOLFSSL* ssl, int ret,
                     }
                 }
             }
-        #else /* #ifndef ONLY_ALT_NAME_VERIFICATION */
+        #else
             else {
                 if (ret == 0) {
                     ret = DOMAIN_NAME_MISMATCH;