gSoap: connect via IP results in SSL/TLS certificate host name mismatch

Question

I am using gSoap to connect to a server known by its fixed IP address.

I expect this to work, as the server certificate contains "subject alternative name" entries for this IP address. However, I get an "SSL/TLS certificate host name mismatch in tcp_connect".

Searching about this problem, I found this SE post. Looking at the code shown there, I found out that only DNS names are tested against the URL, not IP addresses (stdsoap2.cpp):

if (nval && !strcmp(nval->name, "DNS") && !strcmp(nval->value, host))
{ ok = 1;
  break;
}

I managed to make the connection working by changing code like this:

if (nval && !strcmp(nval->name, "DNS") && !strcmp(nval->value, host))
{ ok = 1;
  break;
}

if (nval && !strcmp(nval->name, "IP Address") && !strcmp(nval->value, host))
{ ok = 1;
  break;
}

Question: Should I consider this a bug in gSoap and file a patch, or is it rather a result of wrong SSL usage? Should I just fix this by adding the IP to subject alternative names as a DNS name, instead of IP address?

Answer 1

Should I consider this a bug in gSoap and file a patch

I would consider it a bug. And it is the same bug as Microsoft is having with IE etc in that they check IP address inside the dNSName entry and not (like all others do) in the IPAddress entry.

Answer 2

I would consider the following patch with an additional improvement to support wildcards (*) in domains and IP addresses:

if (nval &&
    (!strcmp(nval->name, "DNS") || !strcmp(nval->name,"IP Address")) &&
    !soap_tag_cmp(nval->value, host))
{ ok = 1;
  break;
}