IXWebSocket wss c++ client cannot connect to Node.js wss server using an ip address

[Pierre-Luc Boily]

Yep, I read the documentation.  The part "*suppresses support for "*" as
wildcard pattern in labels* " sounds really like that wildcard is not
accepted at all.  But I have to admit that I don't know what a "label" is.

With this flag, only *www.feistyduck.com <http://www.feistyduck.com>*
and *feistyduck.com
<http://feistyduck.com>* are accepted, it seems useless to me to
specify **.feistyduck.com
<http://feistyduck.com>* in the SAN.  Why not just use *www.feistyduck.com
<http://www.feistyduck.com>?*

If I understand correctly, if i want a more open certificate that accept my
subdomain, I should use X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS but
then allowing multi-label wildcards can increase the risk of attack I guess.

Thank you

Le jeu. 16 févr. 2023, à 13 h 48, Viktor Dukhovni <
openssl-users at dukhovni.org> a écrit :

> On Thu, Feb 16, 2023 at 01:21:56PM -0500, Pierre-Luc Boily wrote:
>
> > In the book of Ivan Ristic (Bullet Proof TLS and PKI), chapter 12,
> > section *Creating Certificates for Multiple Hostnames*, the author
> > uses a wildcard in the SAN (*.feistyduck.com).
> >
> > So, if the SAN has *.feistyduck.com and feistyduck.com, what will be
> > accepted with the above flag?
> >
> > 1. www.feistyduck.com ?
> > 4. feistyduck.com ?
>
> Yes, regardless of the flag value.
>
> > 2. www.sub.feistyduck.com ?
> > 3. www.sub.sub2.feistyduck.com ?
>
> No, regardless of the flag value.
>
> The documentation reads:
>
>    If set, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS suppresses support for
>    "*" as wildcard pattern in labels that have a prefix or suffix, such
>    as: "www*" or "*www"; this only applies to X509_check_host.
>
> did you read the documentation?  Which part was unclear?
>
> --
>     Viktor.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230216/37618a15/attachment.htm>