• WildcardCertificates

About Wildcard Certificates

You'll probably know that certificates containing the wildcard character "*" in the CN of a server are called wildcard certificates.

RFC 2818 "HTTP Over TLS" states the following:

• Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com.

On the other hand there is RFC 2595 "Using TLS with IMAP, POP3 and ACAP" which states:

• A "*" wildcard character MAY be used as the left-most name component in the certificate. For example, *.example.com would match a.example.com, foo.example.com, etc. but would not match example.com.

RFC 2459 explicitly does not address wildcards in host/domain name matching.

So it seems that there are different specifications for different protocols...

Interoperability study

Since Mozilla does not match the names according to RFC 2818 there may be other products that do not.

Please add your own browser/tool/library/application here.

OpenSSL

The OpenSSL library does not contain code to check the server's name in the certificate, so it's up to the application wether to accept wildcards or not.

Internet Explorer

Internet Explorer 6.0.2800.1106: * does not match subdomains

Mozilla & Co

SeaMonkey 1.0.5 on Linux&Windows: * matches subdomains.

Firefox

• 1.5.0.7/Windows: matches subdomains, the hostname that was entered (NOT the certificate's CN, which I'd consider a bug) is displayed in the statusline. This is filed as a bug in https://bugzilla.mozilla.org/show_bug.cgi?id=159483 so it may be fixed in a new release. But since the bug was opened in 2002 we may probably have to live with it for some more time...

• 3.0.0b5/Ubuntu: matches subdomains.

Konqueror

• Konqueror 3.5.1: does not match subdomains.
• Konqueror 3.5.4-0.5.fc5: matches subdomains (use the lock on the iconbar to inspect the KDE SSL information).
• Konqueror 3.5.9: matches subdomains.

Fixed in SVN in November 2005: http://bugs.kde.org/show_bug.cgi?id=106476

Opera

• Opera 9.00: does seem to match subdomains.
• Opera 9.27: matches subdomains

Safari

• 3.1 (5525.13): matches subdomains

Lynx

Lynx 2.6.8rel.1 on FreeBSD: Does not match wildcards at all