From 8c9532f8cf94596ab5b3cde97a7601eb72aaf68d Mon Sep 17 00:00:00 2001
From: Artem Boldariev <artem@boldariev.com>
Date: Mon, 21 Feb 2022 10:25:41 +0200
Subject: [PATCH] Update the "Known Issues"

Mention that some old cryptographic library versions lack the
functionality to implement ignoring the Subject field (and thus the
Common Name) when establishing DoT connections.
---
 doc/notes/notes-current.rst | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index aafdad743a..99a0784257 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -20,7 +20,16 @@ Security Fixes
 Known Issues
 ~~~~~~~~~~~~
 
-- None.
+- According to RFC 8310, Section 8.1, the Subject field MUST NOT be
+  inspected when verifying a remote certificate while establishing a
+  DNS-over-TLS connection. Only SubjectAltName must be checked
+  instead. Unfortunately, some quite old versions of cryptographic
+  libraries might lack the functionality to ignore the Subject
+  field. It should have minimal production use consequences, as most
+  of the production-ready certificates issued by certificate
+  authorities will have SubjectAltNames set. In such a case, the
+  Subject field is ignored. Only old platforms are affected by this,
+  e.g., those supplied with OpenSSL versions older than 1.1.1.
 
 New Features
 ~~~~~~~~~~~~