Version: 3.4.0 (using KDE KDE 3.4.0) Installed from: Fedora RPMs OS: Linux A wildcard SSL certificate issued to a domain should work not only with all subdomains but on the the domain itself. For example, *.kde.org should work not only for https://www.kde.org and https://bugs.kde.org, but also just https://kde.org. For a live example, go here: https://infinitydrive.net Click "Details" when the warning pops up.
I don't agree. "*." doesn't match ""
Not in the strictest sense, no, but that is certainly the way it is intended. More importantly, not allowing it to match requires the purchase of an extra SSL certificate. So, by being pedantic about it, nothing is gained- BUT everyone who runs a domain like that will be required to pay an extra $100+ per year to purchase and maintain and extra cert. It would be quite ironic if software from the for-profit companies Microsoft and Apple (both of whose browsers match *. to no subdomain, just as I suggest) allowed you avoid the purchase of the extra certificate, but free software demanded that you spend the extra money.
SVN commit 480071 by staikos: *.example.com matches example.com apparently BUG: 106476 M +8 -1 ksslpeerinfo.cc --- branches/KDE/3.5/kdelibs/kio/kssl/ksslpeerinfo.cc #480070:480071 @@ -122,7 +122,7 @@ // after the wildcard (*). QStringList parts = QStringList::split('.', cn, false); - while(parts.count() > 2) + while (parts.count() > 2) parts.remove(parts.begin()); if (parts.count() != 2) { @@ -141,6 +141,13 @@ QStringList::split('.', d->peerHost, false).count()) return true; + // *.example.com must match example.com also. Sigh.. + if (cn.startsWith("*.")) { + QString chopped = cn.mid(2); + if (chopped == d->peerHost) { + return true; + } + } return false; }