Question: why doesn't my wildcard matching work with OpenSSL?

Viktor Dukhovni openssl-users at
Mon Jun 10 22:00:39 UTC 2019

> On Jun 10, 2019, at 4:41 PM, Paul Smith <paul at> wrote:
>> As a safety measure, OpenSSL does not support "*.tld" wildcards.
>> The non-wildcard portion of the domain name needs to have at
>> least two labels.  It seems I've neglected to document this... :-(
>> You can have "*.domain.example", but not "*.domain".
> Is this something controlled by an option for X509_check_host() or is
> it just hardcoded and can't be modified?  I didn't see any options in
> the docs that seem to manage that, unless it's a side-effect.

This is not presently configurable.  I see some references to
similar policies in at least some of the major browsers, not
just OpenSSL, so it is probably best to avoid *.tld wildcards.


More information about the openssl-users mailing list