Allow for a leading . for wildcard like matches

author Bob Beck <beck@openssl.org>

Wed, 4 Feb 2026 00:51:37 +0000 (17:51 -0700)

committer Neil Horman <nhorman@openssl.org>

Tue, 24 Feb 2026 14:03:39 +0000 (09:03 -0500)
author Bob Beck <beck@openssl.org>
Wed, 4 Feb 2026 00:51:37 +0000 (17:51 -0700)
committer Neil Horman <nhorman@openssl.org>
Tue, 24 Feb 2026 14:03:39 +0000 (09:03 -0500)
diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c

index 919f6379769969c0b6d88f66d0d618d29c036b97..c3e4e25fc326e3605680b815efe29f3aa9cc02d5 100644 (file)
--- a/crypto/x509/x509_vpm.c
+++ b/crypto/x509/x509_vpm.c
@@ -249,8 +249,11 @@ static int validate_hostname_part(const char *name, size_t len,
      for (i = 0; i < len; i++) {
          c = name[i];
          if (c == '.') {
-            /* Can not start a label with a . */
-            if (part_len == 0)
+            /*
+             * Can not start a label with a .
+             * unless it is the very first character.
+             */
+            if (part_len == 0 && i != 0)
                  return 0;
              /* Can not end a label with a - */
              if (prev == '-')
author	Bob Beck <beck@openssl.org>
	Wed, 4 Feb 2026 00:51:37 +0000 (17:51 -0700)
committer	Neil Horman <nhorman@openssl.org>
	Tue, 24 Feb 2026 14:03:39 +0000 (09:03 -0500)