gnutls_x509_crt_check_hostname2 has no way to prevent IPs from being matched
Currently gnutls_x509_crt_check_hostname2() matches either hostnames or IP addresses under the assumption that a valid textual IP address can never match a DNS name. Unfortunately that assumption may not always hold true. We should provide an option to opt-out or opt-in to that behavior, as far as possible without harming backwards compatibility.
See discussion at: https://lists.gnupg.org/pipermail/gnutls-devel/2017-March/008368.html