On Wed, 2019-06-19 at 11:51 +0000, Sivaraman Nainar wrote:
> Can you please help to confirm the behavior
>  
> From: Sivaraman Nainar 
> Sent: Friday, June 7, 2019 2:48 PM
> To: devel@edk2.groups.io
> Subject: reg: Multiple Host Name Certificate
>  
> Hello:
>  
> Can someone help to confirm if EDK2 supports multiple Host Name
> support.
>  
> We need to have an environment where the HTTPS request should work
> fine for IP & Host Name based access. When we create certificates
> with CN as Host Name and SAN as IP TLS Handshake works only for Host
> Name and it provides Handshake Error when the request are IP Based.
>  
> If this question need to be raised in other forum please help to
> redirect.
>  


I can't actually see where we do these checks at all. OpenSSL doesn't
do them for us internally (as it doesn't even know the hostname we
happened to use to establish the connection), although it does offer
X509_check_ip() and X509_check_host() functions. 

From code inspection I'd have guessed that the code would tolerate
*any* valid certificate, even for a host other than the one it actually
attempted to connect to. Surely that can't be true? Where *is* it?