Yep, I read the documentation. The part "suppresses support for "*" as wildcard pattern in labels " sounds really like that wildcard is not accepted at all. But I have to admit that I don't know what a "label" is.
With this flag, only www.feistyduck.com and feistyduck.com are accepted, it seems useless to me to specify *.feistyduck.com in the SAN. Why not just use www.feistyduck.com?
If I understand correctly, if i want a more open certificate that accept my subdomain, I should use X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS but then allowing multi-label wildcards can increase the risk of attack I guess.
Thank you
Le jeu. 16 févr. 2023, à 13 h 48, Viktor Dukhovni <openssl-users@xxxxxxxxxxxx> a écrit :
On Thu, Feb 16, 2023 at 01:21:56PM -0500, Pierre-Luc Boily wrote:
> In the book of Ivan Ristic (Bullet Proof TLS and PKI), chapter 12,
> section *Creating Certificates for Multiple Hostnames*, the author
> uses a wildcard in the SAN (*.feistyduck.com).
>
> So, if the SAN has *.feistyduck.com and feistyduck.com, what will be
> accepted with the above flag?
>
> 1. www.feistyduck.com ?
> 4. feistyduck.com ?
Yes, regardless of the flag value.
> 2. www.sub.feistyduck.com ?
> 3. www.sub.sub2.feistyduck.com ?
No, regardless of the flag value.
The documentation reads:
If set, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS suppresses support for
"*" as wildcard pattern in labels that have a prefix or suffix, such
as: "www*" or "*www"; this only applies to X509_check_host.
did you read the documentation? Which part was unclear?
--
Viktor.
