module OpenSSL::SSL

def verify_certificate_identity(cert, hostname)
  should_verify_common_name = true
  cert.extensions.each{|ext|
    next if ext.oid != "subjectAltName"
    ext.value.split(/,\s+/).each{|general_name|
      if /\ADNS:(.*)/ =~ general_name
        should_verify_common_name = false
        reg = Regexp.escape($1).gsub(/\\\*/, "[^.]+")
        return true if /\A#{reg}\z/i =~ hostname
      # NOTE: somehow we need the IP: canonical form
      # seems there were failures elsewhere when not
      # not sure how that's possible possible to-do!
      elsif /\AIP(?: Address)?:(.*)/ =~ general_name
      #elsif /\AIP Address:(.*)/ =~ general_name
        should_verify_common_name = false
        return true if $1 == hostname
      end
    }
  }
  if should_verify_common_name
    cert.subject.to_a.each{|oid, value|
      if oid == "CN"
        reg = Regexp.escape(value).gsub(/\\\*/, "[^.]+")
        return true if /\A#{reg}\z/i =~ hostname
      end
    }
  end
  return false
end