From 08a2b378fad8aa704704ae3fb803a1b281c25989 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=3D=3FUTF-8=3Fq=3FSamuel=3D20Lor=3DC3=3DA9tan=3F=3D?=
 <tynril@gmail.com>
Date: Thu, 6 Dec 2018 09:44:30 +0800
Subject: [PATCH] openssl: Allow IP-based SAN in automatic hostname check

With OpenSSL, `X509_VERIFY_PARAM_set1_host` only checks matching hostnames and alternative names that are domain-based.

This change tries calling `X509_VERIFY_PARAM_set1_ip_asc` first, which attempts to parse the hostname as an IP address (v4 or v6). If this fails, it'll fall back to the current `X509_VERIFY_PARAM_set1_host` behavior.
---
 lib/tls/openssl/openssl-client.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/tls/openssl/openssl-client.c b/lib/tls/openssl/openssl-client.c
index 9754afa8..884d0317 100644
--- a/lib/tls/openssl/openssl-client.c
+++ b/lib/tls/openssl/openssl-client.c
@@ -158,7 +158,9 @@ lws_ssl_client_bio_create(struct lws *wsi)
 		/* Enable automatic hostname checks */
 		X509_VERIFY_PARAM_set_hostflags(param,
 					X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
-		X509_VERIFY_PARAM_set1_host(param, hostname, 0);
+		// Handle the case where the hostname is an IP address.
+		if (!X509_VERIFY_PARAM_set1_ip_asc(param, hostname))
+			X509_VERIFY_PARAM_set1_host(param, hostname, 0);
 	}
 #endif
 
-- 
GitLab