lib/httpx/io/ssl.rb in httpx-0.24.4 vs lib/httpx/io/ssl.rb in httpx-0.24.5

@@ -2,11 +2,10 @@
 
 require "openssl"
 
 module HTTPX
   TLSError = OpenSSL::SSL::SSLError
-  IPRegex = Regexp.union(Resolv::IPv4::Regex, Resolv::IPv6::Regex)
 
   class SSL < TCP
     using RegexpExtensions unless Regexp.method_defined?(:match?)
 
     TLS_OPTIONS = if OpenSSL::SSL::SSLContext.instance_methods.include?(:alpn_protocols)
@@ -39,11 +38,10 @@
         end
 
         yield(self) if block_given?
       end
 
-      @hostname_is_ip = IPRegex.match?(@sni_hostname)
       @verify_hostname = @ctx.verify_hostname
     end
 
     if OpenSSL::SSL::SSLContext.method_defined?(:session_new_cb=)
       def session_new_cb(&pr)
@@ -87,17 +85,19 @@
       super
       return if @state == :negotiated ||
                 @state != :connected
 
       unless @io.is_a?(OpenSSL::SSL::SSLSocket)
-        if @hostname_is_ip
+        if (hostname_is_ip = (@ip == @sni_hostname))
+          # IPv6 address would be "[::1]", must turn to "0000:0000:0000:0000:0000:0000:0000:0001" for cert SAN check
+          @sni_hostname = @ip.to_string
           # IP addresses in SNI is not valid per RFC 6066, section 3.
           @ctx.verify_hostname = false
         end
 
         @io = OpenSSL::SSL::SSLSocket.new(@io, @ctx)
 
-        @io.hostname = @sni_hostname unless @hostname_is_ip
+        @io.hostname = @sni_hostname unless hostname_is_ip
         @io.session = @ssl_session unless ssl_session_expired?
         @io.sync_close = true
       end
       try_ssl_connect
     end