Server name check should automatically check IP address SAN

[CMCDragonkai]

Specification

OpenSSL implementations in nodejs automatically checks for IP SAN when checking the server name. Thus it is then possible to support certificates that are signed for certain IP addresses.

However quiche's boring usage did not activate this, so it completely ignores IP SANs.

In our tests, which we use localhost and 127.0.0.1 and ::1 alot, without this it results in a bunch of TLS verification failures.

To get around this, we ended up with DNS SANs that are 127.0.0.1 and ::1 as strings. However this is not correct as there are multiple forms of ::1 that is valid, and the IP SANs would allow the TLS library to understand it's not just a string match, and instead do an IP equivalence check.

This will require an upstream fix, details are here: #53 (comment)

Additional context

• Events Refactoring (integrating js-events) #53 (comment)
• Events Refactoring (integrating js-events) #53 (comment)

Tasks

1. ...
2. ...
3. ...

[CMCDragonkai]

For PK, this is not a blocker, since we don't rely on IPs necessarily. We rely on custom Node ID verification. However, if we create an HTTP status page, and people expect to be able to contact it from a browser, it would be nice for it work out of the box for localhost or local IPs.

Note that at this point it is still a self-signed certificate, and not signed by a public third party CA. That's ok, as the browser will ask once, and then accept it, the browser as a client would not understand the Node ID, but would understand normal verification based on localhost hostname or 127.0.0.1 IP SAN.