Re: Question: why doesn't my wildcard matching work with OpenSSL?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> On Jun 10, 2019, at 4:41 PM, Paul Smith <paul@xxxxxxxxxxxxxxxxx> wrote:
> 
>> As a safety measure, OpenSSL does not support "*.tld" wildcards.
>> The non-wildcard portion of the domain name needs to have at
>> least two labels.  It seems I've neglected to document this... :-(
>> 
>> You can have "*.domain.example", but not "*.domain".
> 
> Is this something controlled by an option for X509_check_host() or is
> it just hardcoded and can't be modified?  I didn't see any options in
> the docs that seem to manage that, unless it's a side-effect.

This is not presently configurable.  I see some references to
similar policies in at least some of the major browsers, not
just OpenSSL, so it is probably best to avoid *.tld wildcards.

-- 
	Viktor.




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux