> On Jun 10, 2019, at 4:41 PM, Paul Smith <paul@xxxxxxxxxxxxxxxxx> wrote: > >> As a safety measure, OpenSSL does not support "*.tld" wildcards. >> The non-wildcard portion of the domain name needs to have at >> least two labels. It seems I've neglected to document this... :-( >> >> You can have "*.domain.example", but not "*.domain". > > Is this something controlled by an option for X509_check_host() or is > it just hardcoded and can't be modified? I didn't see any options in > the docs that seem to manage that, unless it's a side-effect. This is not presently configurable. I see some references to similar policies in at least some of the major browsers, not just OpenSSL, so it is probably best to avoid *.tld wildcards. -- Viktor.
