TLS doesn't check subject.CN for wildcard

[NodePing]

Allow CN to be checked for wildcard

#4254

[isaacs]

@bnoordhuis @indutny Thoughts?

[isaacs]

@NodePing It seems fine to me, but please add a test.

[indutny]

I think it cannot contain wildcard according to specification... Is it so widely used?

[NodePing]

We're seeing it on more than a few DigiCert and Thawte certificates but I don't have any stats for how widely it is used.
Two examples from some of our customers are:
graph.facebook.com
shopping.framesdirect.com
Is there a downside to checking for wildcards in the CN? I can't think of one.

[indutny]

Well, it's not really a good place for them to be, since it's deprecated... ok, I give up. It's not that important after all 🔨

[NodePing]

I'm having a hard time trying to come up with a good way to test these goofy certs. Any ideas?

[indutny]

No, I mean. Lets pull your patch @isaacs

[indutny]

Ok, @isaacs seems to be pretty busy right now... Probably @bnoordhuis or @piscisaureus can review it? Or @pquerna ?

[bnoordhuis]

I think it cannot contain wildcard according to specification... Is it so widely used?

I don't know if I'd call it 'widely used' but RFC 2818 certainly allows for it.

@NodePing I'll land your patch but a test case would be nice.

You can generate a self-signed certificate with openssl req (google for 'openssl create self-signed certificate' and you'll find more info.)

Drop the key and the certificate in test/fixtures and the test itself in test/simple.

[NodePing]

I've updated the existing test for wildcards in CN to assert true, rather than false.

[bnoordhuis]

@NodePing You're too late, @indutny already fixed it in 4dd70bb and b4b750b. Thanks though.