Certificate IP Address SAN (Subject Alt Name) and https://1.1.1.1

On April 1 2018, CloudFlare announced the Internet's fastest, privacy-first resolver 1.1.1.1. It also provide a directly Webpage at https://1.1.1.1.

The interesting part is my browser actually trusts this site (as shown on the Firefox above) by visiting the target IP 1.1.1.1.  This is rare as almost all https are now using domain name based certificate to match the FQDN we input in browser address bar. We almost take for granted that input an IP address for https will result a certificate warning and I definitely read before that request for a certificate for IP is not allowed now, for example, here.

So what is really happening here ?

A quickly check the certificate shows the cert is valid for *.cloudflare-dns.com and although 1.1.1.1 does resolve to  1dot1dot1dot1.cloudflare-dns.com, this alone will not make browser to trust the site.

Finally check the Certificate Subject Alt Name (SAN) extensions, we found out there are 4 IPv4/IPv6 addresses including the target 1.1.1.1. And this is the trick that why my browser trusts such site.

Well, not all browsers works for such site. IE 11 on my laptop (version 11.0.9600.17961) still shows a certificate warning message.