Question: why doesn't my wildcard matching work with OpenSSL?

Paul Smith paul at
Mon Jun 10 18:39:27 UTC 2019

On Mon, 2019-06-10 at 14:23 -0400, Viktor Dukhovni wrote:
> > $ openssl s_client -connect admin0.domain:8004 \
> >      -CAfile ca.cert -verify_hostname admin0.domain
> > 
> > ---
> >      Verify return code: 62 (Hostname mismatch)
> It seems that you've elided too much information.  Is the hostname
> really "admin0.domain", or is there some underlying domain name
> that you've obfuscated?

I tried not to elide anything other than a lot of keys and stuff. 
Maybe that info isn't output?

That is actually the hostname (I have this running in a Docker
container to get the hostname set up without a lot of hassle).

But maybe that's my confusion.  What "hostname" is OpenSSL looking at? 
I told it the name I wanted it to use for the verify on the command
line: "-verify_hostname admin0.domain", which matches the wildcard the
certificate provides.

That appears to be what the docs say; from verify(1ssl):

 -verify_hostname hostname
     Verify if the hostname matches DNS name in Subject Alternative Name
     or Common Name in the subject certificate.

I thought that's all it used: this value plus the wildcard in the
certificate.  Am I misunderstanding this?  Where else will openssl go
looking for hostnames to match?

Note that if I don't use wildcards but instead have a full hostname in
the certificate, then verify hostname does work.  It's only using a
wildcard that doesn't match the way I thought it would.

Thanks for the reply!

More information about the openssl-users mailing list