Case-insensitive identity verification

[baarde]

RFC 5280 states that while uppercase and lowercase letters are allowed in domain names, no significance is attached to the case, meaning the case should be ignored when comparing domain names.

Most certificates don't have any uppercase letter in their domain name. But some do.

SwiftNIO SSL converts the server hostname to lowercase but doesn't convert the certificate's CN or SAN. Therefore, the domain name comparison always fails when the certificate has uppercase letters in its domain name.

Steps to reproduce

• Copy cert.pem and key.pem to the current directory.

• Run the server.

  swift run NIOTLSServer

• Try to connect to the server.

  swift run NIOSSLHTTP1Client https://localhost:4433 cert.pem key.pem cert.pem

Expected result

A parsing error invalid constant string is thrown (the server is not a valid HTTP server).

Actual result

NIOSSLExtraError.failedToValidateHostname: Couldn't find localhost in certificate from peer is thrown.

[Lukasa]

This is a great catch, thanks. Are you interested in backporting your fix from swift-certificates? We're not cutting over to it immediately so it'd be nice to fix it in both places.

[baarde]

Yes. Here's the PR #464.