Using a verbatim common name including a trailing dot when establishing a TLS connection causes certificate issues

[udoprog]

When using a fully qualified domain name like google.com. (note the trailing dot), reqwest uses the provided domain in verbatim when comparing the common name of the certificate (CN).

For example, this:

let text = reqwest::get("https://google.com.").await.unwrap().text().await.unwrap();

Errors like this on my machine using native-tls:

reqwest::Error { kind: Request, url: Url { scheme: "https", cannot_be_a_base: false, username: "", password: None, host: Some(Domain("google.com.")), port: None, path: "/", query: None, fragment: None }, 
source: Error { kind: Connect, source: Some(Os { code: -2146762481, kind: Uncategorized, message: "The certificate's CN name does not match the passed value." }) } }

A trailing dot should be semantically equivalent in DNS, but hardly anybody issues certificates with a CN including them. It might be appropriate to do like most browsers and filter such domains by ignoring the trailing dot when doing the CN comparison.

This seems to be the behavior of requests.

>>> import requests
>>> requests.get("https://google.com.") 
<Response [200]>

It might also be interesting to read Mozzila's position on the matter.