Hodie pr. Id. Nov. MMVIII est, John Nagle scripsit: > Question: Is a certificate for "*.example.com" considered valid for > "example.com"?
No. "*.example.com" could at most be reduced to ".example.com", but the first "." can't be suppressed. > OpenSSL seems to say no, but Firefox 2 says yes. Try > "https://stanford.edu" for a test. The certificate sent by this site has a subjectAlternativeName extension: X509v3 Subject Alternative Name: DNS:*.stanford.edu, DNS:stanford.edu And this satisfies Firefox. > RFC 2459 doesn't discuss wildcards. I haven't paid > 73 CHF to access the X.509 standard at > "http://www.itu.int/rec/T-REC-X.509-200508-I/en". RFC2459 is waaayyyy obsolete, it has been replaced by RFC3280, and then by RFC5280. It can't discuss wildcards, since it's an SSL-only use case. Same goes for the X.509 standard (which is free to download in PDF format). -- Erwann ABALEA <[EMAIL PROTECTED]> ----- Jesus saves! Passes to Moses, he shoots. He SCORES! ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]