Question: why doesn't my wildcard matching work with OpenSSL?
Paul Smith
paul at mad-scientist.net
Mon Jun 10 20:31:54 UTC 2019
On Mon, 2019-06-10 at 20:12 +0000, Michael Wojcik wrote:
> > What I cut out was only the base64-encoded certificate.
>
> Yes. That was what we needed to see. The certificate.
Yep, that's my bad. Thanks for the reminder.
> As it turns out, you're hitting the OpenSSL restriction on wildcards
> with fewer than two domain components, as Viktor explained. I'd
> forgotten about that restriction.
>
> However, I still recommend using a proper X.509v3 server certificate
> with one or more SANs. If you're running your own CA using the
> openssl utiltity, there are various online tutorials showing how to
> generate modern certificates.
Just to be clear, this is being seen in our docker-based test
environment using a virtual network and the docker resolvers, where
we're creating our own certificates so we can easily do both positive
and negative testing with things like good/bad hostnames, expired
certificates, incorrect chains, testing key rotation, etc. etc.
Our Java and Python clients work fine, but the C/C++ clients were
failing.
These certificates aren't being used "for real".
I'll look into enhancing our test environment to address this. Cheers!
More information about the openssl-users
mailing list