Disable commonName matching for certificates

net/cert/cert_verify_proc.cc

Index: net/cert/cert_verify_proc.cc
diff --git a/net/cert/cert_verify_proc.cc b/net/cert/cert_verify_proc.cc
index d946256101271119c9d3f0f68ddb53651f1aa8cf..4d96379aff7ddf04a5e15767293bfc4bf2f6e223 100644
--- a/net/cert/cert_verify_proc.cc
+++ b/net/cert/cert_verify_proc.cc
@@ -485,11 +485,11 @@ int CertVerifyProc::Verify(X509Certificate* cert,
 
   ComputeSignatureHashAlgorithms(verify_result);
 
-  UMA_HISTOGRAM_BOOLEAN("Net.CertCommonNameFallback",
-                        verify_result->common_name_fallback_used);
-  if (!verify_result->is_issued_by_known_root) {
-    UMA_HISTOGRAM_BOOLEAN("Net.CertCommonNameFallbackPrivateCA",
-                          verify_result->common_name_fallback_used);
+  bool allow_common_name_fallback =
+      !verify_result->is_issued_by_known_root &&
+      (flags & CertVerifier::VERIFY_ENABLE_COMMON_NAME_FALLBACK_LOCAL_ANCHORS);
+  if (!cert->VerifyNameMatch(hostname, allow_common_name_fallback)) {
+    verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID;
   }

[Ryan Sleevi, 2017/02/28 02:16:58]

Similarly, I'll be updating tests in CertVerifyProc to cover these permutations,
via a MockCertVerifyProc's VerifyInternal :)

 
   CheckOCSP(ocsp_response, *verify_result->verified_cert,