Is it possible to check if the IP-address matches the client-ip?
E.g. Cerficicate for the client 10.1.2.3:
openssl ... -addext "subjectAltName=IP:10.1.2.3"
Something like:
tls_verify_peers = Check.Valid=S.subjectAltName=IP:<remote-ip>
If you use TLS, this is not necessary as TLS prevents IP spoofing. Or in other words: TLS already does what you want to do here.
Spoofing is one side of this, which TLS does indeed prevent. There’s also a question of if a certificate is issued to one host, can it be moved and successfully reused by any other host. There was a previous question about this TLS Plugin Automatic Hostname / IP Verification , and nothing has changed since afaik.