0

Currently working on adding hostname checking support to all SSL connections to a server application that uses OpenSSL 1.1.1K. The server should accept subdomains, i.e., maps.example.com, mail.example.com, etc with one reference identifier option to match all subdomains.

Went through https://www.openssl.org/docs/manmaster/man3/X509_check_host.html and found wildcard matching is possible.

Had a test using client certificate with Subject Alternative Name maps.example.com.

Explicit hostname match works with a check hostname maps.example.com. But the match fails when a wildcard check hostname is used, i.e, *.example.com.

Please let me know if my understanding of the wildcard hostname checking is not correct.

Below is the commandline variant of the same checks:

% openssl x509 -noout -in client-cert.pem -ext subjectAltName
X509v3 Subject Alternative Name:
    DNS:maps.example.com

% openssl x509  -noout -in client-cert.pem -checkhost maps.example.com
Hostname maps.example.com does match certificate

% openssl x509  -noout -in client-cert.pem -checkhost '*.example.com'
Hostname *.example.com does NOT match certificate
Vikyboss
  • 940
  • 2
  • 11
  • 23
  • 1
    The name _in the certificate_ (SAN.DNS, or CN in Subject which is officially obsolete but still works in OpenSSL) can be a wildcard (for exactly one level only); **the desired/intended hostname must be exact**. This is designed for verifying the _server_ and every TLS/TCP connection can go to only one server whose identity is predetermined (by a URL, configuration, etc); TLS client-authentication is rarely used and for many protocols clients may not even have a DNS name. See RFC2818 3.2 for HTTPS; most other TLS-related RFCs don't even mention client, see 6125 and its links. – dave_thompson_085 Jul 09 '23 at 09:22

0 Answers0