crypto/x509: partial wildcards not supported

[kmala]

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

go version go1.9.5 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/go"
GORACE=""
GOROOT="/usr/local/go"
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build007879267=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"

What did you do?

trying to match certificate test*.foo.com with host testabc.foo.com

What did you expect to see?

Expecting the host will match the certificate identifier. This is valid according to the RFC https://tools.ietf.org/html/rfc6125#section-6.4.3 where the client can validate this.

What did you see instead?

x509: certificate is valid for test*.foo.com, not testabc.foo.com

[FiloSottile]

This is intentionally not supported.

The standard library package crypto/x509 is built for the WebPKI, and the Baseline Requirements disallow partial wildcards. Browsers behave similarly. Also, the RFC specifies that a client MAY match partial wildcards, so we are not breaking the spec.