When MTLS is enabled on level Full, basic client certificate verification scenario is the same as on level Trusted. Additionally, X509v3 extensions of client certificate are examined during SSL/TLS handshake. Certificate verification procedure fails, if any unknown critical extension occurs, or if usage of known extensions (basicConstraints, keyUsage, extendedKeyUsage and nsCertType) violates current standard.

Full client verification level also enables one to perform identity check of client based on SubjectAlternativeName or CommonName present in certificate. Note, that identity check is enabled by default. This behavior can be changed by checkbox:

Identity check attempts to lookup SubjectAlternativeName or CommonName (respectively) via DNS and obtains IP address associated with this name. If any address is found and the address matches real IP address of connected client then identity check succeeds, handshake fails immediately otherwise.