子域上的通配符 SSL [英] Wildcard SSL on sub-subdomain

问题描述

我们有一个用于 *.domain.com 的通配符 SSL 证书，并且有一个带有 sub1.sub2.domain.com 的网站.

We have a wildcard SSL certificate for *.domain.com, and have a website with sub1.sub2.domain.com.

MacOS 上的 Safari 4.0.4 弹出证书错误(大概是因为通配符解释)，而 Windows 上的 Safari 4 没有.

Safari 4.0.4 on MacOS pops up a certificate error(presumably because of wildcard interpretation), while Safari 4 on windows does not.

而且 IE8 的行为充其量是混合的，有些 IE8 显示证书错误，有些则没有.

Also IE8 behavior is mixed at best, some IE8 display the certificate error and some do not.

是什么导致了 Safari 和 IE 出现这种奇怪的行为?

What causes this strange behavior on Safari and IE?

推荐答案

*.example.net 的通配符 SSL 证书将匹配 sub.example.net 但不匹配sub.sub.example.net.

A wildcard SSL certificate for *.example.net will match sub.example.net but not sub.sub.example.net.

来自 RFC 2818:

使用由指定的匹配规则执行匹配RFC2459.如果给定类型的多个标识存在于证书(例如，多个 dNSName 名称，任何一个匹配的集合被认为是可以接受的.)名称可以包含通配符字符 * 被认为匹配任何单个域名组件或组件片段.例如，*.a.com 匹配 foo.a.com 但不是 bar.foo.a.com.f*.com 匹配 foo.com 但不匹配 bar.com.

Matching is performed using the matching rules specified by RFC2459. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com.

这篇关于子域上的通配符 SSL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！