Fix two minor errors in hostname validation.
RFC 6125 says that if the host is an IP address, a subjectAltName of type iPAddress must (no 2119 caps) be present and must be used. We would still fall back to checking the Common Name if no subjectAltName was present. https://marc.info/?l=openssl-dev&m=139617145216047&w=2 interprets RFC 6125 to say that if the host is a DNS name, but the certificate only contains a subjectAltName of type iPAddress, then we should still fall back to checking the Common Name. We would only check the Common Name if there was no subjectAltName of any type. Restructure the hostname validation to check IP addresses up-front and fall back to checking the Common Name in the proper cases.
Showing with 145 additions and 131 deletions