Tuesday, December 22, 2009
wildcard subdomain SSL certs
A friend asked:
There are reports that older versions of Firefox don't complain when encountering an out of spec sub-domain SSL wild-card but IE would. I would recommending sticking with the RFC spec.
If I bought a wildcard certificate for *.domain.com, wouldn't that coverHrm...I had to look that one up. The answer is: no, not accorindg to the RFC. RFC 2818 states:
*.sub.domain.com?
Matching is performed using the matching rules specified bymore here: http://www.ietf.org/rfc/rfc2818.txt
[RFC2459]. If more than one identity of a given type is present in
the certificate (e.g., more than one dNSName name, a match in any one
of the set is considered acceptable.) Names may contain the wildcard
character * which is considered to match any single domain name
component or component fragment. E.g., *.a.com matches foo.a.com but
not bar.foo.a.com. f*.com matches foo.com but not bar.com.
There are reports that older versions of Firefox don't complain when encountering an out of spec sub-domain SSL wild-card but IE would. I would recommending sticking with the RFC spec.
Subscribe to Posts [Atom]
Post a Comment