Question: why doesn't my wildcard matching work with OpenSSL?

Paul Smith paul at
Mon Jun 10 20:41:11 UTC 2019

On Mon, 2019-06-10 at 15:14 -0400, Viktor Dukhovni wrote:
> As a safety measure, OpenSSL does not support "*.tld" wildcards.
> The non-wildcard portion of the domain name needs to have at
> least two labels.  It seems I've neglected to document this... :-(
> You can have "*.domain.example", but not "*.domain".

I see, thanks, that's good info.  We will try to figure out how to
modify our Docker-based test configuration to use a multi-label domain
name for its private network.

I'm not sure how or if that will impact users, outside of our test

Is this something controlled by an option for X509_check_host() or is
it just hardcoded and can't be modified?  I didn't see any options in
the docs that seem to manage that, unless it's a side-effect.

More information about the openssl-users mailing list