(This has been marked a duplicate of SSL Cert for sub.domain.com and www.sub.domain.com, but while it's correct that the answer to this question is present in the answers there, that question is distinctly different and people looking for the answer to this one quite likely wouldn't find that one (I certainly didn't). The purported duplicate addresses multiple level subdomain matching a wildcard certificate; this addresses root domain matching a wildcard certificate.)
I'm seeing TLS session establishment failure with an error like
'*.example.com' doesn't match any name in ['example.com']
when trying to connect to a server that returns a certificate with the wildcard domain name in both CN and SAN extension, and doesn't include the root domain example.com in the SAN.
Is there any RFC or other established standard that defines whether this should succeed or fail? Googling about, I found various references implying either way, but nothing definitive.
My context is using the python ldap3 package to connect to a corporate LDAP server. Example code, with a couple of redactions:
from getpass import getpass
import ssl
import ldap3
_tls_params = {
'validate': ssl.CERT_REQUIRED,
'version': ssl.PROTOCOL_TLSv1,
}
tls = ldap3.Tls(**_tls_params)
server_params = {
'use_ssl': True,
'tls': tls,
'get_info': ldap3.ALL,
'connect_timeout': 20,
}
server_uri = "ldap.redacted.com"
server = ldap3.Server(server_uri, **server_params)
username = 'CORP\\redacted'
password = getpass()
ldap_connection = ldap3.Connection(server, user=username, password=password)
ldap_connection.bind()
