Question: why doesn't my wildcard matching work with OpenSSL?
Paul Smith
paul at mad-scientist.net
Mon Jun 10 20:41:11 UTC 2019
On Mon, 2019-06-10 at 15:14 -0400, Viktor Dukhovni wrote:
> As a safety measure, OpenSSL does not support "*.tld" wildcards.
> The non-wildcard portion of the domain name needs to have at
> least two labels. It seems I've neglected to document this... :-(
>
> You can have "*.domain.example", but not "*.domain".
I see, thanks, that's good info. We will try to figure out how to
modify our Docker-based test configuration to use a multi-label domain
name for its private network.
I'm not sure how or if that will impact users, outside of our test
environment.
Is this something controlled by an option for X509_check_host() or is
it just hardcoded and can't be modified? I didn't see any options in
the docs that seem to manage that, unless it's a side-effect.
More information about the openssl-users
mailing list