Salmaan P
Reputation: 857
Is a wildcard in SNI valid?
Came across a packet capture where the client hello SNI had this value *.immedia-semi.com. Is having a wildcard in the SNI valid?
Upvotes: 1
Views: 2061
Answers (1)
Steffen Ullrich
Reputation: 123461
The server_name extension (SNI) is intended to specify a hostname. From RFC 6066:
"HostName" contains the fully qualified DNS hostname of the server, as understood by the client.
Given that a wildcard is not a valid FQDN it is not valid here either. Similar IP addresses are not FQDN too and are even explicitly forbidden here.
Client TLS implementations usually don't check what is given by the program as SNI too use and thus sometimes broken SNI are seen in the wild, caused by application bugs.
Upvotes: 2
Related Questions
- Certificate wildcard SAN gets ignored?
- Can I use wildcard SNI matching with HAProxy?
- SNI with wildcard certificate on IIS 8.5
- Non-TLD wildcard in SAN for self-signed ssl cert
- IIS 7 and SSL wildcard certificate
- SSL Wild Card issue
- SSL certificate - are wildcards in SAN extension allowed or not?
- Is it technically possible to issue a fully wildcard SSL certificate?
- OpenSSL Wildcard Certificate and hostname Certificate