@@ -7252,10 +7252,12 @@ ldap://ldap.acme.com/cn=dbserver,cn=hosts?pgconnectinfo?base?(objectclass=*)
72527252 </para>
72537253
72547254 <para>
7255- In <literal>verify-full</> mode, the <literal>cn</> (Common Name) attribute
7256- of the certificate is matched against the host name. If the <literal>cn</>
7257- attribute starts with an asterisk (<literal>*</>), it will be treated as
7258- a wildcard, and will match all characters <emphasis>except</> a dot
7255+ In <literal>verify-full</> mode, the host name is matched against the
7256+ certificate's Subject Alternative Name attribute(s), or against the
7257+ Common Name attribute if no Subject Alternative Name of type dNSName is
7258+ present. If the certificate's name attribute starts with an asterisk
7259+ (<literal>*</>), the asterisk will be treated as
7260+ a wildcard, which will match all characters <emphasis>except</> a dot
72597261 (<literal>.</>). This means the certificate will not match subdomains.
72607262 If the connection is made using an IP address instead of a host name, the
72617263 IP address will be matched (without doing any DNS lookups).