Is your feature request related to a problem? Please describe.
We're using a PKI Solution in our company and I'm testing installed certificates with sslyze to verify it's proper installation on servers. We are using not only DNS Subject Alternative Names, but also IP Address Subject Alternative Names.
Unfortunately when testing the server either with --certinfo or --regular I only get to see the DNS Subject Alternative Names.
Furthermore, when I test against the IP Address of the Server, the Hostname Validation fails, which shouldn't be the case.
Describe the solution you'd like
I would like to see the "IP Address SAN" Information of the tested certificate, and a successful hostname validation when targeting the server by its IP Address.
Eg.:
sslyze --regular --certinfo_ca_file my-root.pem server.domain:443
* Certificates Information:
Hostname sent for SNI: server.domain
Number of certificates detected: 1
Certificate #0 ( _RSAPublicKey )
SHA1 Fingerprint: 50766e1c18436323bd57d9f854e498f3671bdccc
Common Name: server.domain
Issuer: My Issuing CA
Serial Number: 2185473029123456789074175114908454567893256470
Not Before: 2021-11-04
Not After: 2023-11-04
Public Key Algorithm: _RSAPublicKey
Signature Algorithm: sha256
Key Size: 2048
Exponent: 65537
DNS Subject Alternative Names: ['server', 'server.domain']
IP Subject Alternative Names: ['192.168.1.10'] <- This is what I would like to see
Also in the testresults, when I run this command:
sslyze --regular --certinfo_ca_file my-root.pem 192.168.1.10:443
Certificate #0 - Trust
Hostname Validation: FAILED - Certificate does NOT match server hostname <- This shouldn't fail
Describe alternatives you've considered
My alternative is to open up a webbrowser and manually inspect the certificate
Is your feature request related to a problem? Please describe. We're using a PKI Solution in our company and I'm testing installed certificates with sslyze to verify it's proper installation on servers. We are using not only DNS Subject Alternative Names, but also IP Address Subject Alternative Names. Unfortunately when testing the server either with --certinfo or --regular I only get to see the DNS Subject Alternative Names. Furthermore, when I test against the IP Address of the Server, the Hostname Validation fails, which shouldn't be the case.
Describe the solution you'd like I would like to see the "IP Address SAN" Information of the tested certificate, and a successful hostname validation when targeting the server by its IP Address. Eg.: sslyze --regular --certinfo_ca_file my-root.pem server.domain:443
Also in the testresults, when I run this command: sslyze --regular --certinfo_ca_file my-root.pem 192.168.1.10:443
Describe alternatives you've considered My alternative is to open up a webbrowser and manually inspect the certificate
Thanks and cheers Rene