1

is there a limit to what browser versions support wildcard ssl certificates?

I can't find a valid resource that tells me if there only has been support for it since version x.

I can only find a list of browsers/servers that support Server Name Indication here. Browser Support Digicert But that is the problem of older browsers not sending the name of the virtual domain as part of the TLS negotiation.

spankmaster79
  • 21,555
  • 10
  • 42
  • 73

1 Answers1

2

Support for wildcards in browsers is very old and was already defined in the RFC, which defined how to to certificate validation with https (RFC2818 from 2000). Early implementations were less strict than they are now, e.g. they supported multiple wildcards (like www.., now: only single wildcard in leftmost label of hostname) and allowed wildcards in xn-- labels (e.g. international names, RFC6125 forbids this https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3).

Support for verifying the hostname in script languages or command line tools came later and is often incomplete or wrong even today (e.g. like accepting multiple wildcards or only looking into common name part). Lots of tools do not check hostname at all.

Thomas N
  • 123
  • 4
Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • ok, thanks for the input. But do you have web resource for this with details on how it did work back in the day? – spankmaster79 Jun 10 '14 at 15:04
  • The only resource I found is this list http://wiki.cacert.org/WildcardCertificates – spankmaster79 Jun 10 '14 at 15:14
  • @spankmaster79: I have no reference, but http://nils.toedtmann.net/pub/subjectAltName.txt from 2007 might be interesting too. It describes bugs in the wildcard handling of various browsers and thus lets you make some assumptions about the implementation. – Steffen Ullrich Jun 10 '14 at 15:24