Comment 3 for bug 925657

Oh, as for the IP address-- it depends on if you want to support an IP address in your certificate's Common Name or Subject Alternative Name . If you do you also want to verify it and do a reverse lookup on the IP to make sure that everything is ok. Ie, lookup the IP for rdp.foo.com, then lookup that IP to make sure that you get back rdp.foo.com. Error out if they don't match. If they do match, proceed to check that the IP address listed in the Common Name or Subject Alternative Name matches what you just verified in your reverse lookup. Supporting IP addresses means that you could be mitm via DNS attacks (ie, the DNS server resolves the attacker's IP back to rdp.foo.com and the attacker presents a verifiable certificate for his IP, and since everything matches, it is accepted).