Ralph Holz (TUM) wrote, On 12/13/2010 02:38 PM:
Good day,
I was wondering how wildcards in CNs are evaluated in nss (also,
wondering if it's the same in openssl). The X.509 RFC seems to
indicate the following:
*.domain.dom matches a.domain.dom, but not a.b.domain.dom
If you want to match sub-sub-domains, you would thus need another
wildcard added to your CN: *.*.domain.dom.
Is my understanding correct?
Nobody answered with the NSS specifics yet, so I will add my comments on
the topic.
Yes, RFC 2818 is quite clear that "Names may contain the wildcard
character * which is considered to match any single domain name
component or component fragment." Errata 1077 deliberately neither
permits nor prohibits multiple wildcards.
Note also draft-saintandre-tls-server-id-check-12 which summarizes much
of the confusion about wildcards and recommends moving away from
wildcards in general - and domain names in CN.
AFAIK OpenSSL doesn't implement these checks at all. It parses the
certificate and leaves the actual check to someone else.
/Mads
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
