On Thu, 7 Apr 2022 at 20:04, Dave Jones <[email protected]> wrote:
> Yeah, that works even better. > Trying to make it a full week without disagreeing with Alan, let me just complement his post... Indeed, certificates these days have the hostname in the Subject Alternate Name extension.Just like your browser, the TCPCLIENT will do hostname validation when you connect by hostname. Unlike the browser, we don't prompt the user to click [Advanced] but simply reject the connection request. Unfortunately, sometimes the people dealing with the certificates insist in using different names; in that case you'll have to use UNSAFE to disable the check. You can also have a DNS certificate with an IP address in the extension for validation. That's less common, so by default TCPCLIENT does not do validation unless you use the SAFE option. I don't think the public CA will do this, but you may have your own in-house CA that can. I do use a public DNS for some of my experiments, but rmhvmy.rvdheij.com resolves to an internal IP address. I can get a certificate for that host because the CA only needs me to own the rvdheij.com domain and doesn't care what it resolves to. I once did all the juggling to play Let's Encrypt to get me a free certificate for 3 months, but that really wasn't worth the hassle. Rob
