QSslSocket: The field "IP Address" is not considered in Subject "Alternative Name" in a Certificate

wdold

I tried as client to connect to a websocket server via wss. In the URL I entered the IP-address of the server (172.18.12.211)
Everytime I got the error:
SSL Error: The host name did not match any of the valid hosts for this certificate
I looked inside the server certificate but everything seemed OK to me:
X509v3 Subject Alternative Name:
IP Address:FE80:0:0:0:316D:360F:7CCF:23FB, IP Address:172.18.12.211, DNS:*.domain.com, DNS:localhost

So I had a look at the Qt sources, especially qtbase/src/network/ssl/qsslsocket.cpp:
There I could see, that it is searched for DNS entries in the Subject "Aternative Name" in a Ceritificate, but not for IP Address:

bool QSslSocketPrivate::isMatchingHostname(const QSslCertificate &cert, const QString &peerName)
{
    const QString lowerPeerName = QString::fromLatin1(QUrl::toAce(peerName));
    const QStringList commonNames = cert.subjectInfo(QSslCertificate::CommonName);

    for (const QString &commonName : commonNames) {
        if (isMatchingHostname(commonName, lowerPeerName))
            return true;
    }

    const auto subjectAlternativeNames = cert.subjectAlternativeNames();
    const auto altNames = **subjectAlternativeNames.equal_range(QSsl::DnsEntry);**
    for (auto it = altNames.first; it != altNames.second; ++it) {
        if (isMatchingHostname(*it, lowerPeerName))
            return true;
    }

    return false;
}

Since "IP Address" is a valid entry in the Subject "Aternative Name" of a Ceritificate, I'm wondering, why this is not considered in the Qt sources?

Was it simply forgotten to implement?
Or is there any reason why this was left off?

Any comments are appreciated.
Regards, wdold

SGaist

Hi and welcome to devnet,

What version of Qt are you using ?

wdold

Hi,
the Qt version is 5.9.7.

SGaist

Did you already check the bug report system to see if there's something related ?

wdold

Hi,
thank you for the tip.
I just searched in bug report system but could not find an entry that fits to behaviour which I'm interested in.

For me the cardinal question is, is it a conscious decision of the Qt developers not to search for the field "IP Address" in "Subject Alternative Name"?
Or was it simply forgotten?
Or is it planned to implement this in a future version?

SGaist

That is something I don't currently know. Most likely a use case that didn't happen yet but that's pure speculation.

The best in your case is to open a feature request providing a minimal compilable example as well as a small script to generate a test certificate.

wdold

When that would be the appropriate way to proceed then I'll do that.
How would I open a feature request? Sorry but I've never done that before.

SGaist

No worries. It's all on the bug report system. Just choose feature request in place of bug when creating the ticket.

wdold

I just could not find "feature request" in the bug report system. So I created a bug entry.
Let's see what happens.
Thank you for your support.