1 files changed, 4 insertions, 2 deletions

diff --git a/src/include/openssl/x509v3.h b/src/include/openssl/x509v3.h
index d2d39f8e..b5db7157 100644
--- a/src/include/openssl/x509v3.h
+++ b/src/include/openssl/x509v3.h
@@ -703,8 +703,8 @@ OPENSSL_EXPORT void X509_email_free(STACK_OF(OPENSSL_STRING) *sk);
 OPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x);
 /* Flags for X509_check_* functions */
 
-/* Always check subject name for host match even if subject alt names present */
-#define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT	0x1
+/* Deprecated: this flag does nothing */
+#define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT	0
 /* Disable wildcard matching for dnsName fields and common name. */
 #define X509_CHECK_FLAG_NO_WILDCARDS	0x2
 /* Wildcards must not match a partial label. */
@@ -713,6 +713,8 @@ OPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x);
 #define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0x8
 /* Constraint verifier subdomain patterns to match a single labels. */
 #define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0x10
+/* Skip the subject common name fallback if subjectAltNames is missing. */
+#define X509_CHECK_FLAG_NEVER_CHECK_SUBJECT 0x20
 /*
  * Match reference identifiers starting with "." to any sub-domain.
  * This is a non-public flag, turned on implicitly when the subject