security - 为什么允许没有子域的站点使用通配符证书?
Wildcard certificates对于 *.company.com 不应该对 company.com 有效。然而familysearch.org使用通配符证书 *.familysearch.org。
Chrome、Firefox、IE、wget 和 curl 都没有提示它。为什么?有趣的是,cfhttp确实提示。谁是正确的?
curl 片段:
* Server certificate:
* subject: C=US; postalCode=84150; ST=Utah; L=Salt Lake City; street=50 East North Temple Street; O=Intellectual Reserve Inc.; OU=PremiumSSL Wildcard; CN=*.familysearch.org
* start date: 201
* expire date: 201
* subjectAltName: familysearch.org matched
* issuer: C=G
* SSL certificate verify ok.
Chrome 屏幕截图:
cfhttp 错误:
Charset [empty string]
ErrorDetail I/O Exception: Name in certificate `*.familysearch.org' does not match host name `familysearch.org'
Filecontent Connection Failure
Header [empty string]
Mimetype Unable to determine MIME type of file.
Responseheader struct [empty]
Statuscode Connection Failure. Status code unavailable.
Text YES
有问题的证书有一个 Subject Alternative Name familysearch.org
的 (SAN)。因此,该证书对 *.familysearch.org
和 familysearch.org
均有效。
仅供引用,curl 实际上是通过以下行让您知道这一点:
subjectAltName: familysearch.org matched