On Sun, Nov 21, 2021 at 04:05:44PM -0500, Ryan Sleevi wrote: > Using your example here, of a server set to accept any client presented > identifier in the form *.foo.example, a sharp edge here would be how to > handle when the presented identifier is also *.foo.example - is that an > acceptable match or not?
OpenSSL supports wildcards in the reference identifier, but to try to reduce confusion these deliberately use a variant syntax, instead of "*.foo.example" (presented wildcard) the referernce wildcaard syntax is ".foo.example". In the case you highlight, yes "*.foo.example" matches ".foo.example", because any specific host would and "*.foo.example" is a certificate valid for any of them. Which is not to say that I think that wildcard certs are a good idea. I strongly discourage their use. -- Viktor. _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta