add test and comment

elixir-mint · Jan 12, 2024 · 2d9e089 · 2d9e089
1 parent b2a98ac
commit 2d9e089
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 1 deletion.
diff --git a/lib/mint/core/transport/ssl.ex b/lib/mint/core/transport/ssl.ex
@@ -509,7 +509,11 @@ defmodule Mint.Core.Transport.SSL do
     end
   end
 
-  # In case the hostname is an IP address:
+  # Workaround for a bug that was fixed in OTP 27:
+  # Before OTP 27 when connecting to an IP address and the server offers a
+  # certificate with its IP address in the "subject alternate names" extension,
+  # the TLS handshake fails with a `{:bad_cert, :hostname_check_failed}`.
+  # This clause can be removed once we depend on OTP 27+.
   defp match_fun({:dns_id, hostname}, {:iPAddress, ip}) do
     with {:ok, ip_tuple} <- :inet.parse_address(hostname),
          ^ip <- Tuple.to_list(ip_tuple) do

diff --git a/test/mint/core/transport/ssl_test.exs b/test/mint/core/transport/ssl_test.exs
@@ -148,6 +148,11 @@ defmodule Mint.Core.Transport.SSLTest do
       refute :mint_shims.pkix_verify_hostname(cert, ip: {1, 2, 3, 4})
       refute :mint_shims.pkix_verify_hostname(cert, ip: {10, 11, 12, 13})
     end
+
+    @tag :wip
+    test "custom match fun for IP addresses as hostname", %{cert: cert} do
+      assert {:valid, _} = SSL.verify_fun(cert, :valid_peer, dns_id: ~c"10.67.16.75")
+    end
   end
 
   # Certificate chain rooted in an expired root CA, and CA store containing