Comment 28 for bug 1834340

Dan,

Very good point.

Access by IP address didn't work before -- I just checked w/ Xenial / OpenSSL 1.0.0,
and it fails with certification verification error too.

IIUIC this seems reasonable - as the default certificate is the only thing the server
could send to the client without SNI (which prohibited for IP addresses) to hint/tell
the server which hostname it wants the certificate for, and the certificate owners
would need to keep the default certificate up-to-date with all IP addresses the server
could possibly serve/respond on (it seems unfeasible).

So we should be good on this particular case!
Thanks for catching this.

--

$ lsb_release -cs
xenial

$ dpkg -l | grep libssl1. | awk '{ print $2 }'
libssl1.0.0:amd64

$ mailutil check {imap.gmail.com:993/imap/ssl}INBOX
{cb-in-f109.1e100.net/imap} username: ^C

$ host imap.gmail.com | grep -m1 address
gmail-imap.l.google.com has address 64.233.186.108

$ mailutil check {64.233.186.108:993/imap/ssl}INBOX
Certificate failure for 64.233.186.108: Server name does not match certificate: /C=US/ST=California/L=Mountain View/O=Google LLC/CN=imap.gmail.com
Certificate failure for 64.233.186.108: Server name does not match certificate: /C=US/ST=California/L=Mountain View/O=Google LLC/CN=imap.gmail.com