On Sun, Nov 21, 2021 at 04:05:44PM -0500, Ryan Sleevi wrote:
> Using your example here, of a server set to accept any client presented
> identifier in the form *.foo.example, a sharp edge here would be how to
> handle when the presented identifier is also *.foo.example - is that an
> acceptable match or not?
OpenSSL supports wildcards in the reference identifier, but to try to
reduce confusion these deliberately use a variant syntax, instead of
"*.foo.example" (presented wildcard) the referernce wildcaard syntax is
".foo.example".
In the case you highlight, yes "*.foo.example" matches ".foo.example",
because any specific host would and "*.foo.example" is a certificate
valid for any of them.
Which is not to say that I think that wildcard certs are a good idea. I
strongly discourage their use.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
