Problem:
Server: Subject Alternative Name(SAN) in server certificate: *test.example.com
Client: Server Name Indicator(SNI) given from client side: mytest.example.com
Result: handshake fail!
Although for similar scenario,
Subject Alternative Name(SAN) in server certificate: *.example.com
Client: Server Name Indicator(SNI) given from client side: mytest.example.com
Result: handshake successful!
Query:
I need to conduct successful handshake for SAN *test.example.com. I'm guessing Openbsd must have an option to make the first match (which is failing now) valid. Can someone please help me with this.
What RFC has to say: (RFC 6125 Sec: 6.4.3) The client MAY match a presented identifier in which the wildcard character is not the only character of the label (e.g., baz*.example.net and baz.example.net and bz.example.net would be taken to match baz1.example.net and foobaz.example.net and buzz.example.net, respectively). However, the client SHOULD NOT attempt to match a presented identifier where the wildcard character is embedded within an A-label or U-label [IDNA-DEFS] of an internationalized domain name [IDNA-PROTO].
Thanks in advance.