- A "*" wildcard character MAY be used as the left-most name
component in the certificate. For example, *.example.com would
match a.example.com, foo.example.com, etc. but would not match
example.com.
And in RFC 2818:
Names may contain the wildcard
character * which is considered to match any single domain name
component or component fragment.
So *.*.example.com should work according to 2818 but not 2595. But 2818 is "HTTP Over TLS" and 2595 is "Using TLS with IMAP, POP3 and ACAP", and since Firefox is a web browser and not an email client I think it should follow 2818. Furthermore the wording in 2595 seems to have been intended to ensure that wildcards were leftmost, and to disallow cases example.*. It seems to me just sloppy wording on the part of the author that disallowed *.*.example.com
(In reply to comment #20)
> (In reply to comment #17)
> > Created an attachment (id=288138) [details] [details]
> > Test program (for illustration purposes only)
> <snip>
> > *.*.example.com does not match hostname foo.bar.example.com
>
> *.*.example.com does *should* match foo.bar.example.com. My company uses a
> *.* certificate and this would break our website in firefox.
>
While reading RFC 2595:
- A "*" wildcard character MAY be used as the left-most name
component in the certificate. For example, *.example.com would
match a.example.com, foo.example.com, etc. but would not match
example.com.
And in RFC 2818:
Names may contain the wildcard
character * which is considered to match any single domain name
component or component fragment.
So *.*.example.com should work according to 2818 but not 2595. But 2818 is "HTTP Over TLS" and 2595 is "Using TLS with IMAP, POP3 and ACAP", and since Firefox is a web browser and not an email client I think it should follow 2818. Furthermore the wording in 2595 seems to have been intended to ensure that wildcards were leftmost, and to disallow cases example.*. It seems to me just sloppy wording on the part of the author that disallowed *.*.example.com
(In reply to comment #20) example. com. My company uses a
> (In reply to comment #17)
> > Created an attachment (id=288138) [details] [details]
> > Test program (for illustration purposes only)
> <snip>
> > *.*.example.com does not match hostname foo.bar.example.com
>
> *.*.example.com does *should* match foo.bar.
> *.* certificate and this would break our website in firefox.
>