letoams
commented
8 years ago fixed in git and will be in 2.7 paul@bofh:~/git/hash-slinger (master)$ ./tlsa --verify good.dane.verisignlabs.com SUCCESS (usage 3): Certificate offered by the server matches the TLSA record (72.13.58.31) and -d shows the wildcard: The matched certificate has Subject: /C=US/ST=Virginia/L=Reston/O=Verisign, Inc./OU=Technology Services Group/CN=*.dane.verisignlabs.com
% tlsa --verify good.dane.verisignlabs.com WARNING: Name on the certificate (Subject: /C=US/ST=Virginia/L=Reston/O=Verisign, Inc./OU=Technology Services Group/CN=.dane.verisignlabs.com, SubjectAltName: DNS:.dane.verisignlabs.com) doesn't match requested hostname (good.dane.verisignlabs.com). Caution: name on the cert does not match hostname SUCCESS (usage 3): The certificate offered by the server matches the TLSA record WARNING: Name on the certificate (Subject: /C=US/ST=Virginia/L=Reston/O=Verisign, Inc./OU=Technology Services Group/CN=.dane.verisignlabs.com, SubjectAltName: DNS:.dane.verisignlabs.com) doesn't match requested hostname (good.dane.verisignlabs.com). Caution: name on the cert does not match hostname SUCCESS (usage 3): The certificate offered by the server matches the TLSA record
IMHO, the cert should match, because of the wildcard *.dane.verisignlabs.com