halmurray+openssl at sonic.net
Tue Apr 19 22:25:03 UTC 2022
man X509_check_host says:
If set, X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS restricts name values
which start with ".", that would otherwise match any sub-domain in the
peer certificate, to only match direct child sub-domains. Thus, for
instance, with this flag set a name of ".example.com" would match a
peer certificate with a DNS name of "www.example.com", but would not
match a peer certificate with a DNS name of "www.sub.example.com"; this
flag only applies to X509_check_host.
I haven't see the idea of ".example.com" being special in any of the RFCs I've
been looking at. Can somebody give me a lesson in this area?
Is there any way to turn it off totally while still allowing * type wildcards?
These are my opinions. I hate spam.
More information about the openssl-users