Closed kxt closed 6 years ago
Thanks for the PR! Before going further, I'd like to see the changes tested against valid certificates, preferably also self-signed, which have:
CN=<ip address>
, no SAN,CN=<ip address>
, SAN with IP address
only,CN=<hostname>
, SAN with IP address
only,CN=<hostname>
, SAN with DNS
and IP address
.OpenSSL backend as a minimum, SChannel (Windows) and Secure Transport (macOS) a bonus.
Ldap::connect_ssl()
would need a documentation update with the summary of client behavior in those tests.
Also, the commit which removes mut
from the helper binding in protocol.rs
is unrelated to TLS connections by IP address, so I'd prefer to leave it out of this PR.
I finally had the time to look into this myself, with the caveat that I could only do the tests on Linux + OpenSSL.
Certificates with IP address SAN elements work with openssl-0.9.18
and later. Tested for IPv4. Such certs are probably very niche, but it's nice to know that they're supported.
If a server cert is otherwise valid, connecting by IP address with set_no_tls_verify(true)
should work.
I'll be merging the PR, including the unrelated mut fixup. Thanks! (I'm not too happy about the delay, but I believe that the PR could've been merged sooner if I'd had the results of relevant tests.)
Fixes #23