@nate wrote:
I think if we parsed the certificate data on the client side (in the controller code) we could extract the SANs and check them against the requested hostname, and bail out with a good error message before we even request a tunnel. Obviously, “parse the certificate” is a real pain, but may be worth it.
