X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
Viktor Dukhovni
openssl-users at dukhovni.org
Wed Apr 20 02:15:42 UTC 2022
On Tue, Apr 19, 2022 at 10:07:15PM -0400, Viktor Dukhovni wrote:
> This is an apples/oranges dichotomy. "*" wildcards are "presented
> identifiers" in the certificate.
>
> If the documentation is not sufficiently clear (too subtle) on this
> point, would you like to suggest some text to clarify the documentation?
> A pull request?
Note that paragraph three of the DESCRIPTION reads:
.... When name [bold font] starts with a dot (e.g. ".example.com"),
it will be matched by a certificate valid for any sub-domain of name,
(see also X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS below).
where it should ideally be clear that we're talking about the peer name
specified by the application (reference identifier in terms of RFC 6125),
not a DNS-ID in the certificate (presented identifier).
--
Viktor.
More information about the openssl-users
mailing list