Re: IXWebSocket wss c++ client cannot connect to Node.js wss server using an ip address

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Yep, I read the documentation.  The part "suppresses support for "*" as wildcard pattern in labels " sounds really like that wildcard is not accepted at all.  But I have to admit that I don't know what a "label" is.

With this flag, only www.feistyduck.com and feistyduck.com are accepted, it seems useless to me to specify *.feistyduck.com in the SAN.  Why not just use www.feistyduck.com?

If I understand correctly, if i want a more open certificate that accept my subdomain, I should use X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS but then allowing multi-label wildcards can increase the risk of attack I guess.

Thank you

Le jeu. 16 févr. 2023, à 13 h 48, Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> a écrit :
On Thu, Feb 16, 2023 at 01:21:56PM -0500, Pierre-Luc Boily wrote:

> In the book of Ivan Ristic (Bullet Proof TLS and PKI), chapter 12,
> section *Creating Certificates for Multiple Hostnames*, the author
> uses a wildcard in the SAN (*.feistyduck.com).
>
> So, if the SAN has *.feistyduck.com and feistyduck.com, what will be
> accepted with the above flag?
>
> 1. www.feistyduck.com ?
> 4. feistyduck.com ?

Yes, regardless of the flag value.

> 2. www.sub.feistyduck.com ?
> 3. www.sub.sub2.feistyduck.com ?

No, regardless of the flag value.

The documentation reads:

   If set, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS suppresses support for
   "*" as wildcard pattern in labels that have a prefix or suffix, such
   as: "www*" or "*www"; this only applies to X509_check_host.

did you read the documentation?  Which part was unclear?

--
    Viktor.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux