tls: Re-enable checking of CN-ID in server identity verification

[tmuellerleile]

RFC 6125 explicitly states that a client "MUST NOT seek a match
for a reference identifier of CN-ID if the presented identifiers
include a DNS-ID, SRV-ID, URI-ID, or any application-specific
identifier types supported by the client", but it MAY do so if
none of the mentioned identifier types (but others) are present.

As certificates with unsupported identifiers in altnames (e. g. email:) are not uncommon, we should be more liberal by resorting to the (deprecated) CN-ID based verification in these cases.

[Nodejs-Jenkins]

Thank you for contributing this pull request! Here are a few pointers to make sure your submission will be considered for inclusion.

Commit tmuellerleile/node@2ae1963 has the following error(s):

• First line of commit message must be no longer than 50 characters
• Commit message must indicate the subsystem this commit changes

The following commiters were not found in the CLA:

• Tobias Müllerleile

Please see CONTRIBUTING.md for more information

[tmuellerleile]

Fixed commit message wording after Node-Jenkins' hint.

[tmuellerleile]

It is also of note that all tests in test/simple/test-tls-check-server-identity.js still pass after applying the proposed change.

Furthermore I think that this patch follows the intention of b4b750b by @indutny as the check in line 167:

if (dnsNames.length > 0) matchCN = false;

is basically unnecessary in the current code, since matchCN is previously set to false by the incriminated line 131 if there are any altnames at all (so based on a much weaker condition).

[indutny]

I did some analysis of what chromium does for certs, I suggest to follow this criterias:

1. It fallbacks to common name check if there're no DNS names and no IP addresses.

   const bool common_name_fallback = cert_san_dns_names.empty() &&
                                     cert_san_ip_addrs.empty();

2. If hostname is IP address - it checks against CN only if address is IPv4, otherwise it checks IP altnames.

3. If hostname is not IP address - it checks against DNS altnames, or CN if common_name_fallback is true.

Therefore this commit looks good to me. Landed with some style fixes in f8bd53bb68216789efaf71e4376b5741f8472b16, thank you!

[indutny]

Backported to v0.8 - 1a95ce5.