On Mon, Jun 10, 2019 at 01:52:06PM -0400, Paul Smith wrote: > Note for my C client I have not set any special flags for matching, I'm > just using the default and using SSL_set1_host() to add the hostname. > But, I can't even get it to work with openssl itself. > > For example, here's a connection attempt using the CLI... note if I > remove the -verify_hostname option the connection works fine: > > $ openssl s_client -connect admin0.domain:8004 \ > -CAfile ca.cert -verify_hostname admin0.domain > > CONNECTED(00000003) > depth=1 C = US, ST = MA, L = Boston, O = Mycorp, OU = Eng, CN = ca.mycorp.com > verify return:1 > depth=0 CN = *.domain > verify return:1 > --- > Certificate chain > 0 s:/CN=*.domain > i:/C=US/ST=MA/L=Boston/O=Mycorp/OU=Eng/CN=ca.mycorp.com > 1 s:/C=US/ST=MA/L=Boston/O=Mycorp/OU=Eng/CN=ca.mycorp.com > i:/C=US/ST=MA/L=Boston/O=Mycorp/OU=Eng/CN=ca.mycorp.com > --- > Server certificate > -----BEGIN CERTIFICATE----- > ... > -----END CERTIFICATE----- > subject=/CN=*.domain > issuer=/C=US/ST=MA/L=Boston/O=Mycorp/OU=Eng/CN=ca.mycorp.com > --- > Verify return code: 62 (Hostname mismatch) It seems that you've elided too much information. Is the hostname really "admin0.domain", or is there some underlying domain name that you've obfuscated? -- Viktor.
