The subject common name (CN) field in the X.509 certificate does not match
the name of the entity presenting the certificate.
Before issuing a certificate, a Certification Authority (CA) must check the
identity of the entity requesting the certificate, as specified in the CA's
Certification Practice Statement (CPS). Thus, standard certificate validation
procedures require the subject CN field of a certificate to match the actual
name of the entity presenting the certificate. For example, in a certificate
presented by "https://www.example.com/", the CN should be "www.example.com".
In order to detect and prevent active eavesdropping attacks, the validity of
a certificate must be verified, or else an attacker could then launch a
man-in-the-middle attack and gain full control of the data stream. Of
particular importance is the validity of the subject's CN, that should match
the name of the entity (hostname).
A CN mismatch most often occurs due to a configuration error, though it can
also indicate that a man-in-the-middle attack is being conducted.
Please note that this check may flag a false positive against servers
that are properly configured using SNI.