Add Subject Alternative Name ipAddress support

[c-kruse]

Description

When a router is configured with a listener+sslProfile containing a serving certificate with a SAN containing an IP Address, a connector configured with "host" set to the IP address and will fail to validate the listener-side certificate unless verifyHostname is disabled.

Example certificate using SAN ipAddress.

$ openssl x509 -noout -text <server-cert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Subject Alternative Name:
                DNS:mydomain.example.com, IP Address:172.18.255.163
            ...

It appears that proton chooses to implement some of this stuff itself, so it behaves slightly different than it would with regular clients. My openssl client had no issues connecting to the same router listener by the same address a skupper-router refused.

Workaround

The skupper control plane has always issued certificates containing alternative names for an ip address as both an ip address and as a dns name (example DNS:skupper-router, DNS:skupper-router.west, DNS:172.18.255.162, IP Address:172.18.255.162). I suspect this is a non-standard practice. Proton/skupper-router will validate this fine.

Related History

skupperproject/skupper#510
skupperproject/skupper#514
https://issues.apache.org/jira/browse/PROTON-890