Question: why doesn't my wildcard matching work with OpenSSL?
Viktor Dukhovni
openssl-users at dukhovni.org
Mon Jun 10 19:14:59 UTC 2019
> On Jun 10, 2019, at 2:39 PM, Paul Smith <paul at mad-scientist.net> wrote:
>
> On Mon, 2019-06-10 at 14:23 -0400, Viktor Dukhovni wrote:
>>> $ openssl s_client -connect admin0.domain:8004 \
>>> -CAfile ca.cert -verify_hostname admin0.domain
>>>
>>> ---
>>> Verify return code: 62 (Hostname mismatch)
>>
>> It seems that you've elided too much information. Is the hostname
>> really "admin0.domain", or is there some underlying domain name
>> that you've obfuscated?
>
> I tried not to elide anything other than a lot of keys and stuff.
> Maybe that info isn't output?
>
> That is actually the hostname (I have this running in a Docker
> container to get the hostname set up without a lot of hassle).
As a safety measure, OpenSSL does not support "*.tld" wildcards.
The non-wildcard portion of the domain name needs to have at
least two labels. It seems I've neglected to document this... :-(
You can have "*.domain.example", but not "*.domain".
--
Viktor.
More information about the openssl-users
mailing list