http://bugs.winehq.org/show_bug.cgi?id=25478
Juan Lang juan_lang@yahoo.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Component|-unknown |crypt32
--- Comment #4 from Juan Lang juan_lang@yahoo.com 2010-12-11 10:08:30 CST --- Here we are with the relevant chain bits:
trace:chain:dump_ssl_extra_chain_policy_para pwszServerName = L"activation.sls.microsoft.com" trace:chain:match_dns_to_subject_dn L"activation.sls.microsoft.com" trace:chain:match_common_name CN = L"*.validation.sls.microsoft.com\0000" warn:chain:match_domain_component domain component L"sls" too short for L"validation" trace:chain:match_common_name returning 0
That is, it's trying to match activation.sls.microsoft.com to *.validation.sls.microsoft.com. This isn't specifically addressed in RFC 2818, which covers HTTP over TLS. From section 3.1:
"Names may contain the wildcard character which is considered to match any single domain name component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com."
The way I read that, that means *. can't match the lack of a label, and indeed other protocols specifically disallow this. So, in my opinion, Microsoft is doing the wrong thing here. Tests needed, of course.