I think the check should only fail, if it did not matched an *URI* field with
the same hostname. Additional fields (with other types) should be ignored.
Its a *DNS* field, not URI, but basically it seems to me that
you are right. RFC 2818 says in detail:
If a subjectAltName extension of type dNSName is present, that MUST
be used as the identity. Otherwise, the (most specific) Common Name
field in the Subject field of the certificate MUST be used. Although
the use of the Common Name is existing practice, it is deprecated and
Certification Authorities are encouraged to use the dNSName instead.
...
In some cases, the URI is specified as an IP address rather than a
hostname. In this case, the iPAddress subjectAltName must be present
in the certificate and must exactly match the IP in the URI.
So we have at least the 3 cases defined situations:
hostname is IP address ==> must have IP altname
hostname is dns & altname dns, it must match
hostname is dns & not altname dns, "last" common name must match.
