RE: Question: why doesn't my wildcard matching work with OpenSSL?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I don't know why you sent this to me directly rather than to the list.

> From: Paul Smith [mailto:paul@xxxxxxxxxxxxxxxxx]
> Sent: Monday, June 10, 2019 12:54
> To: Michael Wojcik
>
> On Mon, 2019-06-10 at 18:49 +0000, Michael Wojcik wrote:
> > Argh. You cut out the actual relevant information. We need to see the
> > server certificate.
> >
> > In particulary, does it contain any Subject Alternative Name
> > extensions?
>
> What I cut out was only the base64-encoded certificate.

Yes. That was what we needed to see. The certificate.

> There weren't any settings shown there.

I didn't mention "settings". I discussed Subject Alternative Name extensions, which are part of the certificate.

> > I have a vague memory that wildcard matching only works with SANs.

As it turns out, you're hitting the OpenSSL restriction on wildcards with fewer than two domain components, as Viktor explained. I'd forgotten about that restriction.

However, I still recommend using a proper X.509v3 server certificate with one or more SANs. If you're running your own CA using the openssl utiltity, there are various online tutorials showing how to generate modern certificates.

--
Michael Wojcik
Distinguished Engineer, Micro Focus







[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux