Disable commonName matching for certificates

net/cert/cert_verify_proc_mac.cc

Index: net/cert/cert_verify_proc_mac.cc
diff --git a/net/cert/cert_verify_proc_mac.cc b/net/cert/cert_verify_proc_mac.cc
index 987eed236e46f14d2f9066ebd9a0ecc87c6d2a57..c9ca384b96973260dc26e126225d0bebe40ec51c 100644
--- a/net/cert/cert_verify_proc_mac.cc
+++ b/net/cert/cert_verify_proc_mac.cc
@@ -988,10 +988,6 @@ int VerifyWithGivenFlags(X509Certificate* cert,
       break;
   }
 
-  // Perform hostname verification independent of SecTrustEvaluate. In order to
-  // do so, mask off any reported name errors first.
-  verify_result->cert_status &= ~CERT_STATUS_COMMON_NAME_INVALID;
-
   // TODO(wtc): Suppress CERT_STATUS_NO_REVOCATION_MECHANISM for now to be
   // compatible with Windows, which in turn implements this behavior to be
   // compatible with WinHTTP, which doesn't report this error (bug 3004).
@@ -1001,6 +997,10 @@ int VerifyWithGivenFlags(X509Certificate* cert,
   verify_result->is_issued_by_known_root =
       g_known_roots.Get().IsIssuedByKnownRoot(completed_chain);
 
+  // Hostname validation is handled by CertVerifyProc, so mask off any errors
+  // that SecTrustEvaluate may have set, as its results are not used.
+  verify_result->cert_status &= ~CERT_STATUS_COMMON_NAME_INVALID;

[mattm, 2017/03/01 23:56:47]

Is moving this down significant? (Not a big deal I guess, just curious why it
moved.)

[Ryan Sleevi, 2017/03/02 00:18:55]

Eh, it was an artifact of the previous build in which name checking was moved
here (because name checking depended on is_issued_by_known_root), but I split
that CL out, and forgot to move this part back. It has no material effect, but
moved it back for less file churn :)

+
   if (IsCertStatusError(verify_result->cert_status))
     return MapCertStatusToNetError(verify_result->cert_status);