I have the feeling that a SAN check is commutative, i.e. of domain A is in the SAN list of domain B, then domain B is also in the SAN list of domain A.
Currently, the way we perform domain comparisons is by getting the SAN list of every URL found in the process (of which there are multiple) and comparing that with the one single domain for which the check is requested.
Why don't we switch that, look up the SAN at the start for the domain that was requested, and only use the hostnames from the found URLs rather than acquiring the SAN list of each of those.
First we need some confirmation of SAN being commutative
I have the feeling that a SAN check is commutative, i.e. of domain A is in the SAN list of domain B, then domain B is also in the SAN list of domain A.
Currently, the way we perform domain comparisons is by getting the SAN list of every URL found in the process (of which there are multiple) and comparing that with the one single domain for which the check is requested.
Why don't we switch that, look up the SAN at the start for the domain that was requested, and only use the hostnames from the found URLs rather than acquiring the SAN list of each of those.
First we need some confirmation of SAN being commutative