この資料は 2008 年 7 月 12 日にまっちゃ139勉強会の LT でお話したものを少し更新したものです.
- A "*" wildcard character MAY be used as the left-most name component in the certificate. For example, *.example.com would match a.example.com, foo.example.com, etc. but would not match example.com.
Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com.
The '*' (ASCII 42) wildcard character is allowed in subjectAltName values of type dNSName, and then only as the left-most (least significant) DNS label in that value. This wildcard matches any left-most DNS label in the server name. That is, the subject *.example.com matches the server names a.example.com and b.example.com, but does not match example.com or a.b.example.com.
the semantics of subject alternative names that include wildcard characters (e.g., as a placeholder for a set of names) are not addressed by this specification.という記述で subjectAltName の所に「取り扱わない」と.:-p (肝心の Subject は?)
Stefan Santesson氏(Microsoft社)が発表を行いました。 Netscapeがきっかけを作ったワイルドカード証明書への対応ですが、IEをはじめとして利用できる プラットホームが増えるとともに、著名なCAサービス(認証局)がワイルドカード証明書を発行する ようになっている状況の一方で、ワイルドカード証明書をPKIX標準としては認めていないという現 状が報告されました。 このような状況を鑑み、Santesson氏は i. Informational RFCを発行する ii. 3280bis(がRFC化された後に修正し)ワイルドカードの存在を認める のどちらかを行うべきだと提案しました。 :(略) この議論に関しては、ML上などで継続されることになりました。
* | *.test | *.oreore.test | m*.oreore.test | *9.oreore.test | |
IE6 | x | x | ○ | ○ | x |
Firefox3 | ○ | ○ | ○ | ○ | ○ |
Firefox2 | ○ | ○ | ○ | ○ | ○ |
Opera9.27 | ○ | ○ | ○ | ○ | ○ |
As described in RFC 2595, Microsoft's implementation allows a * in the leftmost element of the server's CN only. Within that leftmost element, there can be text to the left of the * but not to the right.
If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.
Listen 443 NameVirtualHost *:443 SSLStrictSNIVHostCheck off <VirtualHost *:443> SSLEngine On ServerName kirk:443 DocumentRoot /var/www/html/kirk SSLCertificateFile /etc/httpd/certs/kirk.crt SSLCertificateKeyFile /etc/httpd/private/kirk.key </VirtualHost> <VirtualHost *:443> SSLEngine On ServerName spock:443 DocumentRoot /var/www/html/spock SSLCertificateFile /etc/httpd/certs/spock.crt SSLCertificateKeyFile /etc/httpd/private/spock.key </VirtualHost>
NameVirtualHost *:80 <VirtualHost *:80> ServerName test.example.com SSLEngine Optional SSLCertificateFile /etc/httpd/server.crt SSLCertificateKeyFile /etc/httpd/server.key <Directory /var/www/rfc2817> SSLRequireSSL </Directory> </VirtualHost>
HTTP/1.x 426 Upgrade Required Server: Apache/2.2.0 (Unix) mod_ssl/2.2.0 OpenSSL/0.9.8e PHP/5.2.3 Upgrade: TLS/1.0, HTTP/1.1 Connection: Upgrade, Keep-Alive Keep-Alive: timeout=5, max=100という感じで応答が返ってきてました.
ご清聴ありがとうございました.