Question: why doesn't my wildcard matching work with OpenSSL?

Paul Smith paul at
Mon Jun 10 17:52:06 UTC 2019

I'm having problems trying to get wildcard matching working with
OpenSSL.  Full hostname matching is working fine, but when my
certification uses a wildcard I always get an error.  That includes
both with OpenSSL 1.1.1b linked into my normal client, AND with the
openssl CLI with a system default version.  However, trying to use this
same certificate and hostname matching works fine with Java and Python

Note for my C client I have not set any special flags for matching, I'm
just using the default and using SSL_set1_host() to add the hostname. 
But, I can't even get it to work with openssl itself.

I feel like I must be missing something dumb.  Any pointers

For example, here's a connection attempt using the CLI... note if I
remove the -verify_hostname option the connection works fine:

$ openssl s_client -connect admin0.domain:8004 \
    -CAfile ca.cert -verify_hostname admin0.domain

depth=1 C = US, ST = MA, L = Boston, O = Mycorp, OU = Eng, CN =
verify return:1
depth=0 CN = *.domain
verify return:1
Certificate chain
 0 s:/CN=*.domain
 1 s:/C=US/ST=MA/L=Boston/O=Mycorp/OU=Eng/
Server certificate
Acceptable client certificate CA names
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: ...
Shared Requested Signature Algorithms: ...
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: ...
    Master-Key: ...
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1560181877
    Timeout   : 300 (sec)
    Verify return code: 62 (Hostname mismatch)

More information about the openssl-users mailing list