TLSOptions.unsafe_client() still checks the certificate name

deepgames · January 5, 2026, 3:23pm

Godot Version

4.5.1

Question

I’m currently fiddling around writing a fediverse client in Godot. For that I have a local mastodon server behind a self-signed TLS certificate.

If I understand the docs correctly, TLSOptions.unsafe_client should ignore wrong common names and self-signed certificates.

(…) but the common name of the certificates will never be checked

However, this small test script fails:

func _on_test_tls_pressed() -> void:
	var stream := StreamPeerTCP.new()
	stream.connect_to_host("mastodon.local", 10443)
	var tls := StreamPeerTLS.new()
	var error := tls.connect_to_stream(stream, "mastodon.local", TLSOptions.client_unsafe())
	
	while tls.get_status() <= StreamPeerTLS.STATUS_HANDSHAKING:
		tls.poll()
		await get_tree().process_frame
	assert(tls.get_status() == StreamPeerTLS.STATUS_CONNECTED)

Instead, I get the status STATUS_ERROR_HOSTNAME_MISMATCH.

deepgames · January 7, 2026, 8:10am

As an addendum: I’m using Caddy as my web server and it doesn’t set the certificate subject. Instead, it sets the SAN of the certificate to the address mastodon.local