Test FCS_TLSC_EXT.1.1:9.3.2: The evaluator shall follow the operational
guidance to configure the TSF to use the name matching method and establish
reference identifiers matching only the CN-encoded name. The evaluator shall
ensure that the test server sends the certificate with the matching CN-encoded
name and non-matching SAN, and observe that the TSF terminates the session.
It is preferred that the TSF sends a fatal error alert message (e.g., bad certificate,
unknown certificate) in response to this, but it is acceptable that the TSF
terminates the connection silently (i.e., without sending a fatal error alert).
(emphasis mine)
Why is the TSF supposed to terminate the session if it is only matching the CN-encoded name and the server certificate matches the CN-encoded name?
(emphasis mine)
Why is the TSF supposed to terminate the session if it is only matching the CN-encoded name and the server certificate matches the CN-encoded name?