If ssl certs authenticate the servers ip address, how come I can't find a whitelisted ip address in any secure certs or am i looking in wrong place?

Question

UPDATE This question is illogical. Https does not authenticate the IP address I was wrong.

I guess my question (should have been) how can I verify the server's IP from the cert? I thought that was an important part of it.

;; ANSWER SECTION:
www.kiwibank.co.nz. 60  IN  CNAME   static.kbprod.cloud.
static.kbprod.cloud.    60  IN  A   54.192.135.164
static.kbprod.cloud.    60  IN  A   54.192.135.228
static.kbprod.cloud.    60  IN  A   54.192.135.182
static.kbprod.cloud.    60  IN  A   54.192.135.28
static.kbprod.cloud.    60  IN  A   54.192.135.17
static.kbprod.cloud.    60  IN  A   54.192.135.117
static.kbprod.cloud.    60  IN  A   54.192.135.110
static.kbprod.cloud.    60  IN  A   54.192.135.169

Answer 1

One of the main benefits of ssl/https is the verification of the ip address of the server in question.

I think there is a misunderstanding.

SSL as commonly used does not verify the IP address. Instead it gets verified that the name in certificates subject matches the expected domain (not IP). This check protects against man in the middle attacks where the attacker tries to intercept the traffic by using a publicly trusted certificate issued for a different domain.

Thus, HTTPS does not validate that the IP is correct. But it validates that it is connected to the expected server, no matter what the IP was. This way HTTPS protects against IP spoofing attacks - and this is maybe where you got the idea from that HTTPS checks the IP address. For more information on this see Preventing a spoofing man in the middle attack? .

Answer 2

Unless I'm mistaken, I don't believe IP information is stored anywhere in the SSL certificate. That would break the portability of the the cert.

What you're probably referring to is the verification of subsequent requests/responses, that type of verification is setup via the initial HTTPS handshake and is cert-independent.