I have a wildcard certificate for *.xxx.xx and it is rejected when matched against aaa.xxx.xx. The relevant code is in x509-validation/Data/X509/Validation.hs:
wildcardMatch l
-- <star>.com or <star> is always invalid
| length l < 2 = [InvalidWildcard]
-- some TLD like .uk got small subTLD like (.co.uk), and we don't want to accept *.co.uk
| length (head l) <= 2 && length (head $ drop 1 l) <= 3 && length l < 3 = [InvalidWildcard]
| l == take (length l) (reverse $ splitDot fqhn) = [] -- success: we got a match
| otherwise = [NameMismatch fqhn]
There are many two-characters TLDs under which ordinary people can register three-letter domains.
I have a wildcard certificate for
*.xxx.xx
and it is rejected when matched againstaaa.xxx.xx
. The relevant code is inx509-validation/Data/X509/Validation.hs
:There are many two-characters TLDs under which ordinary people can register three-letter domains.