On Thu, Feb 16, 2023 at 01:21:56PM -0500, Pierre-Luc Boily wrote: > In the book of Ivan Ristic (Bullet Proof TLS and PKI), chapter 12, > section *Creating Certificates for Multiple Hostnames*, the author > uses a wildcard in the SAN (*.feistyduck.com). > > So, if the SAN has *.feistyduck.com and feistyduck.com, what will be > accepted with the above flag? > > 1. www.feistyduck.com ? > 4. feistyduck.com ? Yes, regardless of the flag value. > 2. www.sub.feistyduck.com ? > 3. www.sub.sub2.feistyduck.com ? No, regardless of the flag value. The documentation reads: If set, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS suppresses support for "*" as wildcard pattern in labels that have a prefix or suffix, such as: "www*" or "*www"; this only applies to X509_check_host. did you read the documentation? Which part was unclear? -- Viktor.