[ipxe-devel] Wildcard HTTPS cert support.

Michael Brown mbrown at fensystems.co.uk
Fri Sep 6 16:35:10 UTC 2013


On 06/09/13 16:53, Nicolas Sylvain wrote:
>  From http://tools.ietf.org/html/rfc2818 I see "
>
> Names may contain the wildcard character * which is considered to match
> any single domain name component or component fragment. E.g., *.a.com
> <http://a.com> matches foo.a.com <http://foo.a.com> but not
> bar.foo.a.com <http://bar.foo.a.com>. f*.com matches foo.com
> <http://foo.com> but not bar.com <http://bar.com>.
> "
>
> I'm clearly not an HTTPS expert, but I'm not aware of any more rules. If
> it makes sense to you as well I can fix my patch to implement it.
> (unless someone else has a better patch already).

RFC6125 section 6.4.3 seems to have some additional rules.  It seems 
unclear from the RFCs what behaviour is most expected, but it looks as 
though it would be acceptable (and simple) to allow only a single 
initial "*.", which should match against only the first component of the 
name.

Michael



More information about the ipxe-devel mailing list