Re: Question: why doesn't my wildcard matching work with OpenSSL?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jun 10, 2019 at 01:52:06PM -0400, Paul Smith wrote:

> Note for my C client I have not set any special flags for matching, I'm
> just using the default and using SSL_set1_host() to add the hostname. 
> But, I can't even get it to work with openssl itself.
> 
> For example, here's a connection attempt using the CLI... note if I
> remove the -verify_hostname option the connection works fine:
> 
> $ openssl s_client -connect admin0.domain:8004 \
>     -CAfile ca.cert -verify_hostname admin0.domain
> 
> CONNECTED(00000003)
> depth=1 C = US, ST = MA, L = Boston, O = Mycorp, OU = Eng, CN = ca.mycorp.com
> verify return:1
> depth=0 CN = *.domain
> verify return:1
> ---
> Certificate chain
>  0 s:/CN=*.domain
>    i:/C=US/ST=MA/L=Boston/O=Mycorp/OU=Eng/CN=ca.mycorp.com
>  1 s:/C=US/ST=MA/L=Boston/O=Mycorp/OU=Eng/CN=ca.mycorp.com
>    i:/C=US/ST=MA/L=Boston/O=Mycorp/OU=Eng/CN=ca.mycorp.com
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
>   ...
> -----END CERTIFICATE-----
> subject=/CN=*.domain
> issuer=/C=US/ST=MA/L=Boston/O=Mycorp/OU=Eng/CN=ca.mycorp.com
> ---
>     Verify return code: 62 (Hostname mismatch)

It seems that you've elided too much information.  Is the hostname
really "admin0.domain", or is there some underlying domain name
that you've obfuscated?

-- 
	Viktor.



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux