Hal Murray halmurray+openssl at sonic.net
Tue Apr 19 22:25:03 UTC 2022

man X509_check_host says:
       If set, X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS restricts name values
       which start with ".", that would otherwise match any sub-domain in the
       peer certificate, to only match direct child sub-domains.  Thus, for
       instance, with this flag set a name of ".example.com" would match a
       peer certificate with a DNS name of "www.example.com", but would not
       match a peer certificate with a DNS name of "www.sub.example.com"; this
       flag only applies to X509_check_host.

I haven't see the idea of ".example.com" being special in any of the RFCs I've 
been looking at.  Can somebody give me a lesson in this area?

Is there any way to turn it off totally while still allowing * type wildcards?

These are my opinions.  I hate spam.

More information about the openssl-users mailing list