attested-tls models certificate identity as strings:
primary_name: Stringsubject_alt_names: Vec<String>
That works for DNS hostnames, but for deployments where clients connect by IP address instead of hostname, rustls/webpki expects the server certificate to contain an actual IP SAN. A DNS SAN containing a string like "203.0.113.10" is not equivalent and will fail name verification when the client connects by IP.
In the current API, AttestedCertificateResolver::new(...) only accepts string names, so callers cannot express whether an identity is a hostname or an IP address.
As a result, projects using attested-tls cannot correctly generate attested certificates for IP-only endpoints.
This is not really an issue when using nested-tls, as the inner session inherits the hostname from the outer session.
But when we only have the inner session, it can be tricky.
I noticed this when trying to integrate with attested-tls-proxy in flashbots/attested-tls-proxy#152
attested-tlsmodels certificate identity as strings:primary_name: Stringsubject_alt_names: Vec<String>That works for DNS hostnames, but for deployments where clients connect by IP address instead of hostname, rustls/webpki expects the server certificate to contain an actual IP SAN. A DNS SAN containing a string like
"203.0.113.10"is not equivalent and will fail name verification when the client connects by IP.In the current API,
AttestedCertificateResolver::new(...)only accepts string names, so callers cannot express whether an identity is a hostname or an IP address.As a result, projects using attested-tls cannot correctly generate attested certificates for IP-only endpoints.
This is not really an issue when using nested-tls, as the inner session inherits the hostname from the outer session.
But when we only have the inner session, it can be tricky.
I noticed this when trying to integrate with attested-tls-proxy in flashbots/attested-tls-proxy#152