On 2024-05-17 Elliott Mitchell <ehem+deb...@m5p.com> wrote: > On Thu, May 16, 2024 at 07:06:49PM -0700, Elliott Mitchell wrote: > > On Tue, May 14, 2024 at 06:22:09PM +0200, Andreas Metzler wrote: [...] > > > Could you please post the requested output, although there are no > > > obvious clues there to your eyes? > > > > Problem is that provides rather a lot of data about this network setup. > > The quantity of information is enough for me to be rather uncomfortable > > with providing it via public channel. [...]
> > I notice the `_gnutls_dnsname_is_valid()` function in > > gnutls28-3.8.5/lib/str.h accepts IPv4 addresses (which are NOT valid in > > DNS), but rejects IPv6 addresses. Hello, At a very bare level an IPv4 address is a valid DNS name (alnum, dashes, and dots), an IPv6 adress is not. That is what gnutls is checking here. Afaict it is a short-cut to save more expensive processing for obvious errors. gnutls_session_get_verify_cert_status() (with gnutls_session_set_verify_cert() set correctly) or gnutls_x509_crt_check_hostname()/gnutls_certificate_verify_peers3() does more elaborate stuff on the data, gnutls_certificate_verify_peers2() requires a separate gnutls_x509_crt_check_hostname(). cu Andreas