Question: why doesn't my wildcard matching work with OpenSSL?
Paul Smith
paul at mad-scientist.net
Mon Jun 10 18:39:27 UTC 2019
On Mon, 2019-06-10 at 14:23 -0400, Viktor Dukhovni wrote:
> > $ openssl s_client -connect admin0.domain:8004 \
> > -CAfile ca.cert -verify_hostname admin0.domain
> >
> > ---
> > Verify return code: 62 (Hostname mismatch)
>
> It seems that you've elided too much information. Is the hostname
> really "admin0.domain", or is there some underlying domain name
> that you've obfuscated?
I tried not to elide anything other than a lot of keys and stuff.
Maybe that info isn't output?
That is actually the hostname (I have this running in a Docker
container to get the hostname set up without a lot of hassle).
But maybe that's my confusion. What "hostname" is OpenSSL looking at?
I told it the name I wanted it to use for the verify on the command
line: "-verify_hostname admin0.domain", which matches the wildcard the
certificate provides.
That appears to be what the docs say; from verify(1ssl):
-verify_hostname hostname
Verify if the hostname matches DNS name in Subject Alternative Name
or Common Name in the subject certificate.
I thought that's all it used: this value plus the wildcard in the
certificate. Am I misunderstanding this? Where else will openssl go
looking for hostnames to match?
Note that if I don't use wildcards but instead have a full hostname in
the certificate, then verify hostname does work. It's only using a
wildcard that doesn't match the way I thought it would.
Thanks for the reply!
More information about the openssl-users
mailing list