akshaymankar
commented
5 years ago I see no activity on this, so let me +1 by telling y'all my use case.
I am trying to use the haskell kubernetes client to connect to google container engine(GKE). The certificate generated by GKE for the master node is for an IP address and the master node is only addressable by the IP address.
I am willing to send a PR for this, I think I have figured out where I have to add the code. Please let me know if I should.
Additionally, this PR would be useful as I would need some of the functionality implemented in it. But I am not sure why it is not merged.
Relevant code: https://github.com/vincenthz/hs-certificate/blob/d107283dda08f070b602c15a46e7b45ddc146938/x509-validation/Data/X509/Validation.hs#L336-L339
The current name check only uses the DNS names in SANs if SANs are present. While I understand that it's generally not a good practice to use the IP address of a server as the server's identity, sometimes it's outside our control. For example, in Google Kubernetes Engine, clients locate the master by IP and the master's cert has the IP in its SANs.