Trust SSL certificate with IPv6 address

Question

I have an IIS application with an HTTPS binding that uses a self signed certificate. The certificate contains DNS names for the server's hostname, IPv4 address, and IPv6 address. I've installed the certificate on my client machine in the Local Machine's Trusted Root Certificate Authorities folder. Using a web browser I can connect to the server using the host name and both IP addresses without certificate errors. I'm also writing a C# client application that needs to connect to the server. In the application's configuration if I specify the hostname or IPv4 address, the application can connect just fine, but if I specify the IPv6 address I get an exception. The innermost message is "The remote certificate is invalid according to the validation procedure.". If I configure the site to accept HTTP requests, the client application can connect just fine using IPv6.

What do I need to do get the client application to trust my certificate when using the IPv6 address?

Edit: In case it's relevant, I'm using HttpClient's PostAsync method to submit requests.

Answer 1

The certificate contains DNS names for the server's hostname, IPv4 address, and IPv6 address.

IPv4 and IPv6 addresses should not be given as DNS names (type dNSName) but as type iPAddress in the subject alternative names extension. But, MSIE is known to expect this as dNSName although this is wrong so you should probably add these both as dNSName and iPAddress.

If this is still not possible to connect with your application it might be a bug in the certificate validation in C# or in the way you specify the IPv6 address in the URL (i.e. different syntax then expected). Since using IP addresses inside a certificate and especially IPv6 is an uncommon case this might not be that well tested in C# and the TLS library.