Specification
OpenSSL implementations in nodejs automatically checks for IP SAN when checking the server name. Thus it is then possible to support certificates that are signed for certain IP addresses.
However quiche's boring usage did not activate this, so it completely ignores IP SANs.
In our tests, which we use localhost and 127.0.0.1 and ::1 alot, without this it results in a bunch of TLS verification failures.
To get around this, we ended up with DNS SANs that are 127.0.0.1 and ::1 as strings. However this is not correct as there are multiple forms of ::1 that is valid, and the IP SANs would allow the TLS library to understand it's not just a string match, and instead do an IP equivalence check.
This will require an upstream fix, details are here: #53 (comment)
Additional context
Tasks
- ...
- ...
- ...
Specification
OpenSSL implementations in nodejs automatically checks for IP SAN when checking the server name. Thus it is then possible to support certificates that are signed for certain IP addresses.
However quiche's boring usage did not activate this, so it completely ignores IP SANs.
In our tests, which we use
localhostand127.0.0.1and::1alot, without this it results in a bunch of TLS verification failures.To get around this, we ended up with
DNSSANs that are127.0.0.1and::1as strings. However this is not correct as there are multiple forms of::1that is valid, and the IP SANs would allow the TLS library to understand it's not just a string match, and instead do an IP equivalence check.This will require an upstream fix, details are here: #53 (comment)
Additional context
js-events) #53 (comment)js-events) #53 (comment)Tasks