RFC 6125 ("Service Identity") implementation

[glyph]

You know how when an x509 certificate used in TLS has a subject, and the subject has some fields, and a user or admin somewhere typed something in order to access that domain name, and they're supposed to match? Since March of this year (2011), there's actually  a specification that covers the expected behavior for that check, even in the face of weirdnesses like SRV record indirection, SNI, CNAMEs, and URIs which might not match hostnames exactly for some reason.

We should implement that spec. This would probably have to go into a smarter TLS endpoint, or endpoint wrapper, but at this point I think exactly where it would go is open to discussion, as I'm not an expert on the spec yet.