子子域上的通配符 SSL [英] Wildcard SSL on sub-subdomain
问题描述
我们有一个 *.domain.com
的通配符 SSL 证书,并且有一个带有 sub1.sub2.domain.com
的网站.
We have a wildcard SSL certificate for *.domain.com
, and have a website with sub1.sub2.domain.com
.
MacOS 上的 Safari 4.0.4 会弹出证书错误(可能是由于通配符解释),而 Windows 上的 Safari 4 则不会.
Safari 4.0.4 on MacOS pops up a certificate error(presumably because of wildcard interpretation), while Safari 4 on windows does not.
此外,IE8 的行为充其量是混合的,一些 IE8 显示证书错误,而另一些则不显示.
Also IE8 behavior is mixed at best, some IE8 display the certificate error and some do not.
是什么导致 Safari 和 IE 出现这种奇怪的行为?
What causes this strange behavior on Safari and IE?
推荐答案
*.example.net 的通配符 SSL 证书将匹配 sub.example.net 但不匹配sub.sub.example.net.
A wildcard SSL certificate for *.example.net will match sub.example.net but not sub.sub.example.net.
来自 RFC 2818:
使用指定的匹配规则执行匹配RFC2459.如果给定类型的多个身份存在于证书(例如,多个 dNSName 名称,任何一个匹配集合中的一个被认为是可接受的.)名称可能包含通配符字符 *
被认为匹配任何单个域名组件或组件片段.例如,*.a.com
匹配 foo.a.com
但不是 bar.foo.a.com
.f*.com
匹配 foo.com
但不匹配 bar.com
.
Matching is performed using the matching rules specified by RFC2459. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character
*
which is considered to match any single domain name component or component fragment. E.g.,*.a.com
matchesfoo.a.com
but notbar.foo.a.com
.f*.com
matchesfoo.com
but notbar.com
.
这篇关于子子域上的通配符 SSL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!