Viktor Dukhovni openssl-users at dukhovni.org
Wed Apr 20 02:15:42 UTC 2022

On Tue, Apr 19, 2022 at 10:07:15PM -0400, Viktor Dukhovni wrote:

> This is an apples/oranges dichotomy.  "*" wildcards are "presented
> identifiers" in the certificate.
> If the documentation is not sufficiently clear (too subtle) on this
> point, would you like to suggest some text to clarify the documentation?
> A pull request?

Note that paragraph three of the DESCRIPTION reads:

   .... When name [bold font] starts with a dot (e.g. ".example.com"),
   it will be matched by a certificate valid for any sub-domain of name,

where it should ideally be clear that we're talking about the peer name
specified by the application (reference identifier in terms of RFC 6125),
not a DNS-ID in the certificate (presented identifier).


More information about the openssl-users mailing list