Currently working on adding hostname checking support to all SSL connections to a server application that uses OpenSSL 1.1.1K. The server should accept subdomains, i.e., maps.example.com, mail.example.com, etc with one reference identifier option to match all subdomains.
Went through https://www.openssl.org/docs/manmaster/man3/X509_check_host.html and found wildcard matching is possible.
Had a test using client certificate with Subject Alternative Name maps.example.com.
Explicit hostname match works with a check hostname maps.example.com.
But the match fails when a wildcard check hostname is used, i.e, *.example.com.
Please let me know if my understanding of the wildcard hostname checking is not correct.
Below is the commandline variant of the same checks:
% openssl x509 -noout -in client-cert.pem -ext subjectAltName
X509v3 Subject Alternative Name:
DNS:maps.example.com
% openssl x509 -noout -in client-cert.pem -checkhost maps.example.com
Hostname maps.example.com does match certificate
% openssl x509 -noout -in client-cert.pem -checkhost '*.example.com'
Hostname *.example.com does NOT match certificate