<div dir="ltr">Hello,<div><br></div><div>I'm trying to fetch an image off a Google App Engine app. (Hosted on <a href="http://appspot.com">appspot.com</a>).</div><div><br></div><div>My script running :</div><div><br></div>

<div>imgfetch <a href="https://nsylvainoauth.appspot.com/test">https://nsylvainoauth.appspot.com/test</a> </div><div><br></div><div>This is failing because :</div><div><br></div><div>"server name incorrect (expected *.<a href="http://appspot.com">appspot.com</a>, got <a href="http://nsylvainoauth.appsot.com">nsylvainoauth.appsot.com</a>)"<br>

</div><div><br></div><div>I made a small change to actually add basic wildcard support to get unstuck.   It only works for cases like this one (leading wildcard).  </div><div><br></div><div>Here's the patch if anyone is interested.</div>

<div><br></div><div><pre style="white-space:pre-wrap">--- a/src/net/tls.c
+++ b/src/net/tls.c
@@ -2456,10 +2456,25 @@ static void tls_validator_done ( struct tls_session *tls, int rc ) {
        /* Verify server name */
        if ( ( cert-><a href="http://subject.name/" target="_blank">subject.name</a> == NULL ) ||
             ( strcmp ( cert-><a href="http://subject.name/" target="_blank">subject.name</a>, tls->name ) != 0 ) ) {
-               DBGC ( tls, "TLS %p server name incorrect (expected %s, got "
-                      "%s)\n", tls, tls->name, cert-><a href="http://subject.name/" target="_blank">subject.name</a> );
-               rc = -EACCES_WRONG_NAME;
-               goto err;
+               if ( cert-><a href="http://subject.name/" target="_blank">subject.name</a>[0] == '*' ) {
+                       char * subject_name = cert-><a href="http://subject.name/" target="_blank">subject.name</a> + 1;
+                       int subject_name_len = strlen(subject_name);
+                       int host_name_len = strlen(tls->name);
+                       if ( ( host_name_len < subject_name_len ||
+                            ( strcmp( tls->name + host_name_len - subject_name_len,
+                                      subject_name ) ) != 0 ) ) {
+                               DBGC ( tls, "TLS %p wildcard server name incorrect "
+                                      "(%s does not end with %s)\n", tls, tls->name,
+                                      subject_name);
+                               rc = -EACCES_WRONG_NAME;
+                               goto err;
+                       }
+               } else {
+                       DBGC ( tls, "TLS %p server name incorrect (expected %s, got "
+                              "%s)\n", tls, tls->name, cert-><a href="http://subject.name/" target="_blank">subject.name</a> );
+                       rc = -EACCES_WRONG_NAME;
+                       goto err;
+                }
        }</pre><pre style="white-space:pre-wrap"><br></pre><pre style="white-space:pre-wrap">Now it's actually failing about 50% of the time trying to do the OCSP checks..  but I'll start another thread for this one.</pre>

<pre style="white-space:pre-wrap">Thanks</pre><pre style="white-space:pre-wrap">Nicolas</pre></div></div>