From 2d9e089bf493d885fe827da38fe4b2e1d61f8975 Mon Sep 17 00:00:00 2001
From: Michael Ruoss <michael@michaelruoss.ch>
Date: Fri, 12 Jan 2024 13:45:39 +0100
Subject: [PATCH] add test and comment

---
 lib/mint/core/transport/ssl.ex        | 6 +++++-
 test/mint/core/transport/ssl_test.exs | 5 +++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/lib/mint/core/transport/ssl.ex b/lib/mint/core/transport/ssl.ex
index 1a31bd91..2e1a8c9b 100644
--- a/lib/mint/core/transport/ssl.ex
+++ b/lib/mint/core/transport/ssl.ex
@@ -509,7 +509,11 @@ defmodule Mint.Core.Transport.SSL do
     end
   end
 
-  # In case the hostname is an IP address:
+  # Workaround for a bug that was fixed in OTP 27:
+  # Before OTP 27 when connecting to an IP address and the server offers a
+  # certificate with its IP address in the "subject alternate names" extension,
+  # the TLS handshake fails with a `{:bad_cert, :hostname_check_failed}`.
+  # This clause can be removed once we depend on OTP 27+.
   defp match_fun({:dns_id, hostname}, {:iPAddress, ip}) do
     with {:ok, ip_tuple} <- :inet.parse_address(hostname),
          ^ip <- Tuple.to_list(ip_tuple) do
diff --git a/test/mint/core/transport/ssl_test.exs b/test/mint/core/transport/ssl_test.exs
index 27c70f05..b265c8bf 100644
--- a/test/mint/core/transport/ssl_test.exs
+++ b/test/mint/core/transport/ssl_test.exs
@@ -148,6 +148,11 @@ defmodule Mint.Core.Transport.SSLTest do
       refute :mint_shims.pkix_verify_hostname(cert, ip: {1, 2, 3, 4})
       refute :mint_shims.pkix_verify_hostname(cert, ip: {10, 11, 12, 13})
     end
+
+    @tag :wip
+    test "custom match fun for IP addresses as hostname", %{cert: cert} do
+      assert {:valid, _} = SSL.verify_fun(cert, :valid_peer, dns_id: ~c"10.67.16.75")
+    end
   end
 
   # Certificate chain rooted in an expired root CA, and CA store containing