为什么没有子域的站点允许使用通配符证书?

时间:2013-08-01 15:37:07

标签: security ssl ssl-certificate

* .company.com的

Wildcard certificates不应该对company.com有效。但familysearch.org使用通配符证书* .familysearch.org。

Chrome,Firefox,IE,wget和curl都没有抱怨它。为什么?有趣的是,确实抱怨。谁是对的?

curl snippet:

* Server certificate:
*        subject: C=US; postalCode=84150; ST=Utah; L=Salt Lake City; street=50 East North Temple Street; O=Intellectual Reserve Inc.; OU=PremiumSSL Wildcard; CN=*.familysearch.org
*        start date: 201
*        expire date: 201
*        subjectAltName: familysearch.org matched
*        issuer: C=G
*        SSL certificate verify ok.

Chrome屏幕截图:

enter image description here

cfhttp错误:

Charset [empty string] 
ErrorDetail I/O Exception: Name in certificate `*.familysearch.org' does not match host name `familysearch.org' 
Filecontent Connection Failure 
Header  [empty string] 
Mimetype    Unable to determine MIME type of file. 
Responseheader  struct [empty]

Statuscode  Connection Failure. Status code unavailable. 
Text    YES

1 个答案:

答案 0 :(得分:6)

相关证书的Subject Alternative Name(SAN)为familysearch.org。因此,证书对 {/ em> *.familysearch.orgfamilysearch.org都有效。

仅供参考,curl实际上是让你知道这一点,用以下几行:

  

subjectAltName:familysearch.org匹配

相关问题
最新问题