mTLS matching IP address

Is it possible to check if the IP-address matches the client-ip?

E.g. Cerficicate for the client 10.1.2.3:

openssl ... -addext "subjectAltName=IP:10.1.2.3"

Something like:

tls_verify_peers = Check.Valid=S.subjectAltName=IP:<remote-ip>

If you use TLS, this is not necessary as TLS prevents IP spoofing. Or in other words: TLS already does what you want to do here.

Spoofing is one side of this, which TLS does indeed prevent. There’s also a question of if a certificate is issued to one host, can it be moved and successfully reused by any other host. There was a previous question about this TLS Plugin Automatic Hostname / IP Verification , and nothing has changed since afaik.