Issue #23239: ssl.match_hostname() now supports matching of IP addresses.
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index e7cf425..254fc1f 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -344,10 +344,9 @@
Verify that *cert* (in decoded format as returned by
:meth:`SSLSocket.getpeercert`) matches the given *hostname*. The rules
applied are those for checking the identity of HTTPS servers as outlined
- in :rfc:`2818` and :rfc:`6125`, except that IP addresses are not currently
- supported. In addition to HTTPS, this function should be suitable for
- checking the identity of servers in various SSL-based protocols such as
- FTPS, IMAPS, POPS and others.
+ in :rfc:`2818` and :rfc:`6125`. In addition to HTTPS, this function
+ should be suitable for checking the identity of servers in various
+ SSL-based protocols such as FTPS, IMAPS, POPS and others.
:exc:`CertificateError` is raised on failure. On success, the function
returns nothing::
@@ -369,6 +368,10 @@
IDN A-labels such as ``www*.xn--pthon-kva.org`` are still supported,
but ``x*.python.org`` no longer matches ``xn--tda.python.org``.
+ .. versionchanged:: 3.5
+ Matching of IP addresses, when present in the subjectAltName field
+ of the certificate, is now supported.
+
.. function:: cert_time_to_seconds(cert_time)
Return the time in seconds since the Epoch, given the ``cert_time``