Question: why doesn't my wildcard matching work with OpenSSL?
Viktor Dukhovni
openssl-users at dukhovni.org
Mon Jun 10 18:23:48 UTC 2019
On Mon, Jun 10, 2019 at 01:52:06PM -0400, Paul Smith wrote:
> Note for my C client I have not set any special flags for matching, I'm
> just using the default and using SSL_set1_host() to add the hostname.
> But, I can't even get it to work with openssl itself.
>
> For example, here's a connection attempt using the CLI... note if I
> remove the -verify_hostname option the connection works fine:
>
> $ openssl s_client -connect admin0.domain:8004 \
> -CAfile ca.cert -verify_hostname admin0.domain
>
> CONNECTED(00000003)
> depth=1 C = US, ST = MA, L = Boston, O = Mycorp, OU = Eng, CN = ca.mycorp.com
> verify return:1
> depth=0 CN = *.domain
> verify return:1
> ---
> Certificate chain
> 0 s:/CN=*.domain
> i:/C=US/ST=MA/L=Boston/O=Mycorp/OU=Eng/CN=ca.mycorp.com
> 1 s:/C=US/ST=MA/L=Boston/O=Mycorp/OU=Eng/CN=ca.mycorp.com
> i:/C=US/ST=MA/L=Boston/O=Mycorp/OU=Eng/CN=ca.mycorp.com
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> ...
> -----END CERTIFICATE-----
> subject=/CN=*.domain
> issuer=/C=US/ST=MA/L=Boston/O=Mycorp/OU=Eng/CN=ca.mycorp.com
> ---
> Verify return code: 62 (Hostname mismatch)
It seems that you've elided too much information. Is the hostname
really "admin0.domain", or is there some underlying domain name
that you've obfuscated?
--
Viktor.
More information about the openssl-users
mailing list