Commit fb21fa2
X509_VERIFY_PARAM_set1_host only validates the certificate against
dNSName / CN SAN entries, so connecting to a host given as a literal
IPv4 or IPv6 address (e.g. wss://127.0.0.1/) always failed hostname
verification even when the certificate carried a matching iPAddress SAN.
Detect IP literals with inet_pton and validate them against the
iPAddress SANs via X509_VERIFY_PARAM_set1_ip_asc instead, falling back
to set1_host for DNS names.
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent 8cbbed6 commit fb21fa2
1 file changed
Lines changed: 16 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
9 | 9 | | |
10 | 10 | | |
11 | 11 | | |
| 12 | + | |
12 | 13 | | |
13 | 14 | | |
14 | 15 | | |
| |||
768 | 769 | | |
769 | 770 | | |
770 | 771 | | |
771 | | - | |
| 772 | + | |
| 773 | + | |
| 774 | + | |
| 775 | + | |
| 776 | + | |
| 777 | + | |
| 778 | + | |
| 779 | + | |
| 780 | + | |
| 781 | + | |
| 782 | + | |
| 783 | + | |
| 784 | + | |
| 785 | + | |
| 786 | + | |
772 | 787 | | |
773 | 788 | | |
774 | 789 | | |
| |||
0 commit comments