Question: why doesn't my wildcard matching work with OpenSSL?

Paul Smith paul at mad-scientist.net
Mon Jun 10 17:52:06 UTC 2019 

I'm having problems trying to get wildcard matching working with
OpenSSL.  Full hostname matching is working fine, but when my
certification uses a wildcard I always get an error.  That includes
both with OpenSSL 1.1.1b linked into my normal client, AND with the
openssl CLI with a system default version.  However, trying to use this
same certificate and hostname matching works fine with Java and Python
clients.

Note for my C client I have not set any special flags for matching, I'm
just using the default and using SSL_set1_host() to add the hostname. 
But, I can't even get it to work with openssl itself.

I feel like I must be missing something dumb.  Any pointers
appreciated!

For example, here's a connection attempt using the CLI... note if I
remove the -verify_hostname option the connection works fine:


$ openssl s_client -connect admin0.domain:8004 \
    -CAfile ca.cert -verify_hostname admin0.domain

CONNECTED(00000003)
depth=1 C = US, ST = MA, L = Boston, O = Mycorp, OU = Eng, CN = ca.mycorp.com
verify return:1
depth=0 CN = *.domain
verify return:1
---
Certificate chain
 0 s:/CN=*.domain
   i:/C=US/ST=MA/L=Boston/O=Mycorp/OU=Eng/CN=ca.mycorp.com
 1 s:/C=US/ST=MA/L=Boston/O=Mycorp/OU=Eng/CN=ca.mycorp.com
   i:/C=US/ST=MA/L=Boston/O=Mycorp/OU=Eng/CN=ca.mycorp.com
---
Server certificate
-----BEGIN CERTIFICATE-----
  ...
-----END CERTIFICATE-----
subject=/CN=*.domain
issuer=/C=US/ST=MA/L=Boston/O=Mycorp/OU=Eng/CN=ca.mycorp.com
---
Acceptable client certificate CA names
/C=US/ST=MA/L=Boston/O=Mycorp/OU=Eng/CN=nuocmd.mycorp.com
/C=US/ST=MA/L=Boston/O=Mycorp/OU=Eng/CN=ca.mycorp.com
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: ...
Shared Requested Signature Algorithms: ...
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
  ...
---
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: ...
    Session-ID-ctx: 
    Master-Key: ...
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1560181877
    Timeout   : 300 (sec)
    Verify return code: 62 (Hostname mismatch)

More information about the openssl-users mailing list