Wildcards on cert host checking
Hal Murray
hmurray at megapathdsl.net
Wed Feb 13 22:52:35 UTC 2019
Gary said:
>> Amy reason to allow or prohibit them?
> Do you mean the option to reject certs where the cert name
> is: *.example.com?
> Do you mean for client or server cert checking?
I'm interested in the case where the client is checking the cert from the
server.
OpenSSL doesn't default to requiring a cert or checking it. You have to check
it explicitly, and if you want to verify that the cert came from the right
place you have to give OpenSSL a hostname to check. That same area of the API
has an option to disable wildcards.
>From man X509_check_host:
> If set, X509_CHECK_FLAG_NO_WILDCARDS disables wildcard expansion; this
> only applies to X509_check_host.
> If set, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS suppresses support for
> "*"
> as wildcard pattern in labels that have a prefix or suffix, such as:
> "www*" or "*www"; this only applies to X509_check_host.
--
These are my opinions. I hate spam.
More information about the devel
mailing list