doc/go1.15: surface the crypto/x509 CommonName deprecation note

Updates #39568
Updates #37419
Updates #24151

Change-Id: I44c940e09e26a039076396bbfecb2b1574197cf7
Reviewed-on: https://go-review.googlesource.com/c/go/+/243221
Reviewed-by: Kevin Burke <kev@inburke.com>

Author: FiloSottile

Diff for: doc/go1.15.html

@@ -386,6 +386,23 @@ <h3 id="cgo">Cgo</h3>
   documentation</a> for more information.
 </p>
 
+<h3 id="commonname">X.509 CommonName deprecation</h3>
+
+<p><!-- CL 231379 -->
+  The deprecated, legacy behavior of treating the <code>CommonName</code>
+  field on X.509 certificates as a host name when no Subject Alternative Names
+  are present is now disabled by default. It can be temporarily re-enabled by
+  adding the value <code>x509ignoreCN=0</code> to the <code>GODEBUG</code>
+  environment variable.
+</p>
+
+<p>
+  Note that if the <code>CommonName</code> is an invalid host name, it's always
+  ignored, regardless of <code>GODEBUG</code> settings. Invalid names include
+  those with any characters other than letters, digits, hyphens and underscores,
+  and those with empty labels or trailing dots.
+</p>
+
 <h3 id="minor_library_changes">Minor changes to the library</h3>
 
 <p>
@@ -523,15 +540,6 @@ <h3 id="minor_library_changes">Minor changes to the library</h3>
       certificates with trailing dots.
     </p>
 
-    <p><!-- CL 231379 -->
-      The deprecated, legacy behavior of treating the <code>CommonName</code>
-      field as a hostname when no Subject Alternative Names are present is now
-      disabled by default. It can be temporarily re-enabled by adding the value
-      <code>x509ignoreCN=0</code> to the <code>GODEBUG</code> environment
-      variable. If the <code>CommonName</code> is an invalid hostname, it's
-      always ignored.
-    </p>
-
     <p><!-- CL 217298 -->
       The new <a href="/pkg/crypto/x509/#CreateRevocationList"><code>CreateRevocationList</code></a>
       function and <a href="/pkg/crypto/x509/#RevocationList"><code>RevocationList</code></a> type