[freeone3000]

The BSD networking stack treats an IP addr as a valid hostname for hostname resolution. As such, every phone, tablet, and computer able to do TLS by hostname can do it by IP. Try it out! Self-sign an IP certificate and try it on your local net. If you put it in the trust store, it’ll validate just fine. The only barrier to adoption was CAs refusing to issue IP certificates at large.

[mananaysiempre]

Noot quite. DNS hostnames and IP addresses are encoded differently in X.509 certs: one is the dNSName option of the GeneralName choice type in the subjectAltName extension[1], the other is the iPAddress option. (And before you ask, tagging a stringified IP address quad as a dNSName is misissuance per the CA/Browser Forum Baseline Requirements[2] and liable to get your CA kicked from certificate stores. Ambiguous encodings are dangerous.) So some explicit support from the TLS library is indeed required. But I’m indeed not aware of many apps having problems with IP address certs.

[1] https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1....

[2] https://cabforum.org/working-groups/server/baseline-requirem...

[Hizonner]

Um, the BSD networking stack I'm familiar with doesn't include TLS or X.509 validation at all. The question isn't what you get from gethostbyname. It's what you get when you hand that to your X.509 validator.