Re: Wildcard certs vs. base name
John Nagle schrieb: Question: Is a certificate for *.example.com considered valid for example.com? OpenSSL seems to say no, but Firefox 2 says yes. Try https://stanford.edu; for a test. IIRC OpenSSL does not accept wildcards at all in s_client. The library itself does not make any decision wether a name in a certificate matches the (host-)name the application tried to connect to. Browsers seem to handle wildcards differently, see http://wiki.cacert.org/wiki/WildcardCertificates for some compiled information about the topic. Hope it helps. Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
Re: [openssl-users] Wildcard certs vs. base name
Hodie pr. Id. Nov. MMVIII est, John Nagle scripsit: Question: Is a certificate for *.example.com considered valid for example.com? No. *.example.com could at most be reduced to .example.com, but the first . can't be suppressed. OpenSSL seems to say no, but Firefox 2 says yes. Try https://stanford.edu; for a test. The certificate sent by this site has a subjectAlternativeName extension: X509v3 Subject Alternative Name: DNS:*.stanford.edu, DNS:stanford.edu And this satisfies Firefox. RFC 2459 doesn't discuss wildcards. I haven't paid 73 CHF to access the X.509 standard at http://www.itu.int/rec/T-REC-X.509-200508-I/en;. RFC2459 is waaa obsolete, it has been replaced by RFC3280, and then by RFC5280. It can't discuss wildcards, since it's an SSL-only use case. Same goes for the X.509 standard (which is free to download in PDF format). -- Erwann ABALEA [EMAIL PROTECTED] - Jesus saves! Passes to Moses, he shoots. He SCORES! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Wildcard certs vs. base name
Question: Is a certificate for *.example.com considered valid for example.com? OpenSSL seems to say no, but Firefox 2 says yes. Try https://stanford.edu; for a test. RFC 2459 doesn't discuss wildcards. I haven't paid 73 CHF to access the X.509 standard at http://www.itu.int/rec/T-REC-X.509-200508-I/en;. John Nagle SiteTruth __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]