Disable commonName matching for certificates

net/cert/cert_verify_proc_mac.cc

Index: net/cert/cert_verify_proc_mac.cc
diff --git a/net/cert/cert_verify_proc_mac.cc b/net/cert/cert_verify_proc_mac.cc
index 15d07f3e2c4ca85bb80c9984121fc2dd85f9c1c3..c9ca384b96973260dc26e126225d0bebe40ec51c 100644
--- a/net/cert/cert_verify_proc_mac.cc
+++ b/net/cert/cert_verify_proc_mac.cc
@@ -988,14 +988,6 @@ int VerifyWithGivenFlags(X509Certificate* cert,
       break;
   }
 
-  // Perform hostname verification independent of SecTrustEvaluate. In order to
-  // do so, mask off any reported name errors first.
-  verify_result->cert_status &= ~CERT_STATUS_COMMON_NAME_INVALID;
-  if (!cert->VerifyNameMatch(hostname,
-                             &verify_result->common_name_fallback_used)) {
-    verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID;
-  }
-
   // TODO(wtc): Suppress CERT_STATUS_NO_REVOCATION_MECHANISM for now to be
   // compatible with Windows, which in turn implements this behavior to be
   // compatible with WinHTTP, which doesn't report this error (bug 3004).
@@ -1005,6 +997,10 @@ int VerifyWithGivenFlags(X509Certificate* cert,
   verify_result->is_issued_by_known_root =
       g_known_roots.Get().IsIssuedByKnownRoot(completed_chain);
 
+  // Hostname validation is handled by CertVerifyProc, so mask off any errors
+  // that SecTrustEvaluate may have set, as its results are not used.
+  verify_result->cert_status &= ~CERT_STATUS_COMMON_NAME_INVALID;
+
   if (IsCertStatusError(verify_result->cert_status))
     return MapCertStatusToNetError(verify_result->cert_status);