> On Jun 10, 2019, at 4:41 PM, Paul Smith <p...@mad-scientist.net> wrote:
>
>> As a safety measure, OpenSSL does not support "*.tld" wildcards.
>> The non-wildcard portion of the domain name needs to have at
>> least two labels. It seems I've neglected to document this... :-(
>>
>> You can have "*.domain.example", but not "*.domain".
>
> Is this something controlled by an option for X509_check_host() or is
> it just hardcoded and can't be modified? I didn't see any options in
> the docs that seem to manage that, unless it's a side-effect.
This is not presently configurable. I see some references to
similar policies in at least some of the major browsers, not
just OpenSSL, so it is probably best to avoid *.tld wildcards.
--
Viktor.
