From aa799a482e28992b4a068d28aa9fe2ef30725251 Mon Sep 17 00:00:00 2001
From: yggverse <yggverse@project>
Date: Tue, 31 Mar 2026 15:40:05 +0300
Subject: [PATCH] implement default cert fallback (SNI-less IP as host support)

---
 src/certificates.rs | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/certificates.rs b/src/certificates.rs
index 683f1eb..3a39a8e 100644
--- a/src/certificates.rs
+++ b/src/certificates.rs
@@ -222,8 +222,13 @@ impl ResolvesServerCert for CertStore {
                 .map(|(_, k)| k)
                 .cloned()
         } else {
-            // This kind of resolver requires SNI.
-            None
+            // This kind of resolver requires SNI. Fallback to default cert.
+            // * must exist in the `.certificates` root
+            // * CN value can be any
+            self.certs
+                .iter()
+                .find(|(domain, _)| domain.is_empty())
+                .map(|(_, key)| Arc::clone(key))
         }
     }
 }