Hello,

I've noticed that cURL changed behavior in 7.29 regarding axTLS
support. Before it was ignoring invalid certificates as requested, but
in 7.29 it gives "subjectAltName(s) do not match %s" error and ignores
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L);

I've traced it to this commit:
https://github.com/bagder/curl/commit/1394cad30fcac7eb21adb9158dfcfab10e9f53d4
and it says "honoring
the VERIFYHOST setting" but apparently it's not.

RFC 2818 says

" If a subjectAltName extension of type dNSName is present, that MUST
   be used as the identity."

and

" If the hostname does not match the identity in the certificate, user
   oriented clients MUST either notify the user (clients MAY give the
   user the opportunity to continue with the connection in any case) or
   terminate the connection with a bad certificate error."

I was under impression that VERIFYHOST == 0 should let host with
invalid certificate to pass checks, but this is only implemented
during Common Name (if present) check. Patch that fixes this is listed
below.

Any ideas?

---