Question: why doesn't my wildcard matching work with OpenSSL?

Paul Smith paul at
Mon Jun 10 20:31:54 UTC 2019

On Mon, 2019-06-10 at 20:12 +0000, Michael Wojcik wrote:
> > What I cut out was only the base64-encoded certificate.
> Yes. That was what we needed to see. The certificate.

Yep, that's my bad.  Thanks for the reminder.

> As it turns out, you're hitting the OpenSSL restriction on wildcards
> with fewer than two domain components, as Viktor explained. I'd
> forgotten about that restriction.
> However, I still recommend using a proper X.509v3 server certificate
> with one or more SANs. If you're running your own CA using the
> openssl utiltity, there are various online tutorials showing how to
> generate modern certificates.

Just to be clear, this is being seen in our docker-based test
environment using a virtual network and the docker resolvers, where
we're creating our own certificates so we can easily do both positive
and negative testing with things like good/bad hostnames, expired
certificates, incorrect chains, testing key rotation, etc. etc.

Our Java and Python clients work fine, but the C/C++ clients were

These certificates aren't being used "for real".

I'll look into enhancing our test environment to address this.  Cheers!

More information about the openssl-users mailing list