I wrote: > Some more information on this: > https://www.switch.ch/pki/meetings/2007-01/namebased_ssl_virtualhosts.pdf > slide 5 lists the matching rules for email, HTTP, and LDAP over TLS, > respectively, which are not all the same. Also note that these methods > have rules for interpreting fields in the certificate other than the common > name for the host name. > > I think it is safest and easiest to allow a * wildcard only as the first > character and only when followed immediately by a dot. > > Maybe some DNS expert around here can offer advice on what a morally sound > solution would be.
This page summarizes the sadness pretty well: http://wiki.cacert.org/wiki/WildcardCertificates -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
