From d4f78677243cfa6b55cacbe26894dad96e0897a1 Mon Sep 17 00:00:00 2001
From: Johann150 <johann.galle@protonmail.com>
Date: Fri, 3 Apr 2026 19:30:52 +0200
Subject: [PATCH] default cert fallback without SNI

The protocol specification requires that clients do not use SNI when
IP addresses are used instead of domains.

closes https://github.com/mbrubeck/agate/pull/433

Co-authored-by: oooo-ps <l.trk@tuta.io>
---
 src/certificates.rs | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/certificates.rs b/src/certificates.rs
index 683f1eb..385c843 100644
--- a/src/certificates.rs
+++ b/src/certificates.rs
@@ -222,8 +222,12 @@ impl ResolvesServerCert for CertStore {
                 .map(|(_, k)| k)
                 .cloned()
         } else {
-            // This kind of resolver requires SNI.
-            None
+            // Fallback to default cert. Due to the certificate loading logic,
+            // the fallback cert is always the last one, if it is present.
+            match self.certs.last() {
+                Some((domain, key)) if domain.is_empty() => Some(key.clone()),
+                _ => None,
+            }
         }
     }
 }