Child pages
  • host_name_validation_flags


Web User Interface


Phone User Interface




XML Configuration

<host_name_validation_flags perm="PERMISSIONFLAGS">VALIDVALUE</host_name_validation_flags>


governs to which degree the use of wild cards is permitted when doing host name validation as a part of validating a server certificate. This is done by setting one or more flags. For a description of what the flags mean, see the OpenSSL documentation. The value of the flags is as follows:

0 (no flags set) --> Wildcards are supported and they match only in the left-most label; but they may match part of that label with an explicit prefix or suffix. For example the host name "" would match a certificate with a SAN or CN value of "", "" or "*".

X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT = 1 --> Always check subject name for host match even if subject alt names present

X509_CHECK_FLAG_NO_WILDCARDS = 2 --> Disable wildcard matching for dnsName fields and common name.

X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS = 4 --> Wildcards must not match a partial label.

X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS = 8 --> Allow (non-partial) wildcards to match multiple labels.

X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS = 16 --> Constrain verifier subdomain patterns to match a single label.

To set multiple flags add up their values.

This setting is only effective if setting Settings/check_fqdn_against_server_cert is enabled.

Valid Values

0, 1, 2, 4, 8, 16 or the sum of one or more of these values

Default Value


2 (in FW < )

  • No labels