Sorry for the silly mistake. At Fri, 17 Dec 2021 15:40:10 +0900 (JST), Kyotaro Horiguchi <horikyota....@gmail.com> wrote in > > NSS departs slightly from the spec and will additionally try to match > > an IP address against the CN, but only if there are no iPAddresses in > > the SAN. It roughly matches the logic for DNS names. > > OpenSSL seems different. X509_check_host() tries SAN then CN iff SAN > doesn't exist. X509_check_ip() tries SAN and completely ignores > iPAdress and CN.
OpenSSL seems different. X509_check_host() tries SAN then CN iff SAN doesn't exist. X509_check_ip() tries iPAddress and completely ignores CN. regards. -- Kyotaro Horiguchi NTT Open Source Software Center