Add check of IP address

compare_server_name_to_cert() now checks the DNS names and IP addresses in the subjectAltName extension for a match.

testssl.sh

@@ -3161,7 +3161,7 @@ compare_server_name_to_cert()
 {
      local servername=$1
      local cert=$2
-     local cn sans san basename
+     local cn dns_sans ip_sans san basename
 
      cn="$(get_cn_from_cert $cert)"
      if [[ -n "$cn" ]]; then
@@ -3173,9 +3173,10 @@ compare_server_name_to_cert()
           fi
      fi
 
-     sans=$($OPENSSL x509 -in $cert -noout -text 2>>$ERRFILE | grep -A3 "Subject Alternative Name" | grep "DNS:" | \
+     # Check whether any of the DNS names in the certificate match the servername
-         sed -e 's/DNS://g' -e 's/ //g' -e 's/,/ /g' -e 's/othername:<unsupported>//g')
+     dns_sans=$($OPENSSL x509 -in $cert -noout -text 2>>$ERRFILE | grep -A3 "Subject Alternative Name" | \
-     for san in $sans; do
+              sed -e 's/,/\n/g' | grep "DNS:" | sed -e 's/DNS://g' -e 's/ //g')
+     for san in $dns_sans; do
           [[ "$san" == "$servername" ]] && return 0
           # If $san is a wildcard name, then do a wildcard match
           if echo -n "$san" | grep -q '^*.'; then
@@ -3183,6 +3184,13 @@ compare_server_name_to_cert()
                [[ "$san" == "*.$basename" ]] && [[ "$servername" == *".$basename" ]] && return 0
           fi
      done
+
+     # Check whether any of the IP addresses in the certificate match the serername
+     ip_sans=$($OPENSSL x509 -in $cert -noout -text 2>>$ERRFILE | grep -A3 "Subject Alternative Name" | \
+             sed -e 's/,/\n/g' | grep "IP Address:" | sed -e 's/IP Address://g' -e 's/ //g')
+     for san in $ip_sans; do
+          [[ "$san" == "$servername" ]] && return 0
+     done
      return 1
 }