fix: bracketed IPv6, localhost SAN, split host-check helpers

- is_doh_host split into strip_port + is_loopback_host + is_tld_match - strip_port handles bracketed IPv6 ([::1]:443) and rejects bare IPv6 - Add [::1] to accepted loopback hosts, add localhost DNS SAN to cert - Remove dead sans.is_empty() guard (loopback IPs always present)
2026-04-12 22:26:44 +03:00
parent 3665deb56b
commit 115a55b199
2 changed files with 34 additions and 16 deletions
--- a/src/tls.rs
+++ b/src/tls.rs
@@ -194,14 +194,11 @@ fn generate_service_cert(
        std::net::Ipv6Addr::LOCALHOST,
    )));

-    // Bare TLD (e.g. "numa") for DoH via https://numa/dns-query
-    match tld.to_string().try_into() {
-        Ok(ia5) => sans.push(SanType::DnsName(ia5)),
-        Err(e) => warn!("invalid SAN {}: {}", tld, e),
-    }
-
-    if sans.is_empty() {
-        return Err("no valid service names for TLS cert".into());
+    for name in ["localhost", tld] {
+        match name.to_string().try_into() {
+            Ok(ia5) => sans.push(SanType::DnsName(ia5)),
+            Err(e) => warn!("invalid SAN {}: {}", name, e),
+        }
    }

    params.subject_alt_names = sans;