lgarron
commented
9 years ago If I recall correctly, browsers don't even accept x*.example.org.
Is it even possible to get a cert like that signed by a public CA?
Either way, I'd be happy to accept a PR adding it to cert-generator.sh for a local testing.
Here is another test case for your awesome project. A partial wildcard in subjectAltName must not match an IDNA label. For example "x*.example.org" must not match "xn--tst-bma.example.org" (IDNA for tést.example.org).
I fixed the bug in Python and Mozilla last year: http://bugs.python.org/issue17997 https://www.mozilla.org/en-US/security/advisories/mfsa2014-45/