JSS uses NSS's SSL engine, and NSS's SSL engine recognizes wildcard certificates.
Specifically, the default certificate authentication function, SSL_AuthCertificate (http://lxr.mozilla.org/mozilla/source/security/nss/lib/ssl/sslauth.c#245), calls CERT_VerifyCertName (http://lxr.mozilla.org/mozilla/source/security/nss/lib/certdb/certdb.c#1233), which calls PORT_RegExpCaseSearch() to match the cert. I'm not aware of another solution to this problem, but I know the TLS working group was arguing over whether to add a facility for sending the expected hostname through the TLS protocol. This would allow the server to present the certificate the client is expecting. Swaminathan Seetharaman wrote: > Hi jamie, > > Does JSS support wildcard certificates. > i.e (a single certificate, with a wildcard character in the > domain name field. This allows the certificate to secure > multiple hosts within the same domain. For example, a certificate for > *.domain.com, could be used for www.domain.com, www1.domain.com, > www2.domain.com, in fact, any host in the domain.com domain.) > > Is there any other way to handle the problem of an ssl server aliased to > mulitiple domains? > > warmest regards > cheers swamy >
