Starting with version 2.078 (I think, see #121), if SSL_verifycn_name is not set, host name verification of an IPv6 literal PeerAddr (such as "::1") fails even if the subjectAltName contains an iPAddress entry with that address. An IPv4 literal PeerAddr (such as "127.0.0.1") validates successfully without setting SSL_verifycn_name (assuming the IPv4 address is in SAN), so this seems to be specific to IPv6. Maybe the IPv6 behavior is intentional; if so, shouldn't the IPv4 behavior be changed to match?
Starting with version 2.078 (I think, see #121), if
SSL_verifycn_name
is not set, host name verification of an IPv6 literalPeerAddr
(such as"::1"
) fails even if thesubjectAltName
contains aniPAddress
entry with that address. An IPv4 literalPeerAddr
(such as"127.0.0.1"
) validates successfully without settingSSL_verifycn_name
(assuming the IPv4 address is in SAN), so this seems to be specific to IPv6. Maybe the IPv6 behavior is intentional; if so, shouldn't the IPv4 behavior be changed to match?See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1028849 for additional context.
I'll write a MWE upon request.