Openssl s_client verify_ip usage on ip wildcard matching
Viktor Dukhovni
openssl-users at dukhovni.org
Sat Mar 12 04:25:41 UTC 2022
On Fri, Mar 11, 2022 at 04:40:24PM -0800, Edward Tsang via openssl-users wrote:
> Does verify_ip supports leftmost wildcard?
I am not aware of any RFC specifying wildcard matching in iPAddress
X.509 SANs, and no such feature is implemented in OpenSSL.
The SAN syntax is raw binary data in network byte order with 4 bytes for
IPv4 and 16 bytes for IPv6, with no place to signal a wildcard:
https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6
IP address SANs in certiificates must match exactly.
--
Viktor.
More information about the openssl-users
mailing list