Wildcard certs vs. base name

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Wildcard certs vs. base name

John Nagle
Question: Is a certificate for "*.example.com" considered valid for "example.com"?

OpenSSL seems to say no, but Firefox 2 says yes.  Try
"https://stanford.edu" for a test.

RFC 2459 doesn't discuss wildcards.  I haven't paid
73 CHF to access the X.509 standard at
"http://www.itu.int/rec/T-REC-X.509-200508-I/en".

                                        John Nagle
                                        SiteTruth
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Wildcard certs vs. base name

Bernhard Fröhlich-2
John Nagle schrieb:
> Question: Is a certificate for "*.example.com" considered valid for
> "example.com"?
>
> OpenSSL seems to say no, but Firefox 2 says yes.  Try
> "https://stanford.edu" for a test.
IIRC OpenSSL does not accept wildcards at all in s_client. The library
itself does not make any decision wether a name in a certificate matches
the (host-)name the application tried to connect to.

Browsers seem to handle wildcards differently, see
http://wiki.cacert.org/wiki/WildcardCertificates for some compiled
information about the topic.

Hope it helps.
Ted
;)

--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26


smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-users] Wildcard certs vs. base name

Erwann ABALEA
In reply to this post by John Nagle
Hodie pr. Id. Nov. MMVIII est, John Nagle scripsit:
> Question: Is a certificate for "*.example.com" considered valid for "example.com"?

No. "*.example.com" could at most be reduced to ".example.com", but
the first "." can't be suppressed.

> OpenSSL seems to say no, but Firefox 2 says yes.  Try
> "https://stanford.edu" for a test.

The certificate sent by this site has a subjectAlternativeName
extension:
X509v3 Subject Alternative Name:
    DNS:*.stanford.edu, DNS:stanford.edu

And this satisfies Firefox.

> RFC 2459 doesn't discuss wildcards.  I haven't paid
> 73 CHF to access the X.509 standard at  
> "http://www.itu.int/rec/T-REC-X.509-200508-I/en".

RFC2459 is waaayyyy obsolete, it has been replaced by RFC3280, and
then by RFC5280. It can't discuss wildcards, since it's an SSL-only
use case. Same goes for the X.509 standard (which is free to download
in PDF format).

--
Erwann ABALEA <[hidden email]>
-----
Jesus saves! Passes to Moses, he shoots. He SCORES!
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]