Re: Question: why doesn't my wildcard matching work with OpenSSL?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2019-06-10 at 20:12 +0000, Michael Wojcik wrote:
> > What I cut out was only the base64-encoded certificate.
> 
> Yes. That was what we needed to see. The certificate.

Yep, that's my bad.  Thanks for the reminder.

> As it turns out, you're hitting the OpenSSL restriction on wildcards
> with fewer than two domain components, as Viktor explained. I'd
> forgotten about that restriction.
> 
> However, I still recommend using a proper X.509v3 server certificate
> with one or more SANs. If you're running your own CA using the
> openssl utiltity, there are various online tutorials showing how to
> generate modern certificates.

Just to be clear, this is being seen in our docker-based test
environment using a virtual network and the docker resolvers, where
we're creating our own certificates so we can easily do both positive
and negative testing with things like good/bad hostnames, expired
certificates, incorrect chains, testing key rotation, etc. etc.

Our Java and Python clients work fine, but the C/C++ clients were
failing.

These certificates aren't being used "for real".

I'll look into enhancing our test environment to address this.  Cheers!




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux