> The wildcard is the lowest-level component of a DNS name, which is at the left as written; in
You're right (left?) of course. I was somehow picturing it incorrectly in my mind. I quick went and looked at my wildcard comparison code and it is correct (whew!). In my other thread about checking client IP addresses I was picturing a lowest-level/RIGHTmost wildcard on the IP address: e.g. 192.168.1.* That's "lowest level" conceptually but I guess not what the standard or convention provides for. BTW, a good quick discussion of wildcard certificate names: http://support.godaddy.com/help/article/567/what-is-a-wildcard-ssl-certifica te (They'd love to sell you one; this is not an endorsement.) Charles -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: Thursday, October 11, 2012 5:13 PM To: openssl-users@openssl.org Subject: RE: Firefox unhappy with my self signed Cert >From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills >Sent: Thursday, 11 October, 2012 19:40 Some minor points: >How do you specify the name (URL) of the Web site in Firefox? >Do you use exactly the same name as you use with the test client (and >the name in the certificate)? OP's test client was openssl s_client, which does NOT check hostname, so that one doesn't matter. URL in Firefox/etc and name in cert do. >Firefox is saying the certificate is for myserver but you are >specifying a different name when you open the site. The name has to be >exactly the same as one of the names (including alternates) in the >certificate. (You can wildcard the last node in the alternate >names.) myserver is not the same as myserver.com You can use wildcard in either Subject or SubjectAlternativeNames. The wildcard is the lowest-level component of a DNS name, which is at the left as written; in abstract that might be considered "last" but I think most people wouldn't call it that. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
