[gnutls-devel] More hostname matching goodness

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon Mar 24 09:45:59 CET 2014

On Sat, Mar 22, 2014 at 4:04 AM, Jeffrey Walton <noloader at gmail.com> wrote:
> Hi Gentleman/Nikos,
> Here's another that looks illegal per the RFCs and CA/B Baseline.
> Create a server cert with a single SAN of "WWW.*.COM":

Hello Jeffrey,
 This is a legal wildcard based on an rfc2818 interpretation that our
wildcard parser was based on. I agree with you that wildcard support
shouldn't extend so much. I have already limited the scope of
wildcards to just a left-most '*' in gnutls 3.3.0 (to follow rfc6125),
with the intention to completely drop wildcard support at some point.
I'll also restrict the code of existing releases (3.2 and 3.1) to two
domain components after the wildcard rule, to reduce any compatibility
issues. Thank you for bringing these issues up.


More information about the Gnutls-devel mailing list