Disable commonName matching for certificates
Matching the commonName has been deprecated for
nearly 20 years, as it's a fallback path for
certificates that don't have a subjectAltName.
Disable the matching by default, but introduce an
enterprise policy that allows it to be enabled for
certificates that chain to local trust anchors.
This policy is similar to the SHA-1 deprecation
policy, and is named
EnableCommonNameFallbackForLocalAnchors.
For systems without enterprise policies (meaning
they aren't using SSLConfigManagerPref), the
default is to keep the insecure behaviour, which
is most compatible with legacy, but is not secure.
BUG=308330
Review-Url: https://codereview.chromium.org/2719273002
Cr-Commit-Position: refs/heads/master@{#454752}
76 files changed
