diennea · dmercuriali · Feb 21, 2024 · Feb 14, 2024 · Feb 14, 2024 · Feb 16, 2024
diff --git a/...ace-server/src/main/java/org/carapaceproxy/server/config/SSLCertificateConfiguration.java b/...ace-server/src/main/java/org/carapaceproxy/server/config/SSLCertificateConfiguration.java
@@ -93,16 +93,24 @@ public boolean isMoreSpecific(SSLCertificateConfiguration other) {
         if (subjectAltNames == null || subjectAltNames.isEmpty()) {
             return hostname.length() > other.getHostname().length();
         }
-        final var otherNames = other.getNames().stream().map(CertificatesUtils::removeWildcard);
-        for (var n: getNames()) {
+
+        final int maxOtherNameLength = other.getNames().stream()
+                .map(CertificatesUtils::removeWildcard)
+                .map(String::length)
+                .max(Integer::compareTo)
+                .orElse(0);
+
+        for (var n : getNames()) {
             final var name = CertificatesUtils.removeWildcard(n);
-            if (otherNames.anyMatch(on -> name.length() > on.length())) {
+            if (name.length() > maxOtherNameLength) {
                 return true;
             }
         }
         return false;
     }
 
+
+
     public Collection<String> getNames() {
         return new ArrayList<>() {{
             add(id); // hostname or *.hostname

diff --git a/carapace-server/src/test/java/org/carapaceproxy/listeners/SSLSNITest.java b/carapace-server/src/test/java/org/carapaceproxy/listeners/SSLSNITest.java
@@ -96,10 +96,16 @@ public void testChooseCertificate() throws Exception {
             server.addCertificate(new SSLCertificateConfiguration("other", null, "cert", "pwd", STATIC));
             server.addCertificate(new SSLCertificateConfiguration("*.example.com", Set.of("example.com", "*.example2.com"), "cert", "pwd", STATIC));
             server.addCertificate(new SSLCertificateConfiguration("www.example.com", null, "cert", "pwd", STATIC));
+            server.addCertificate(new SSLCertificateConfiguration("*.qapatchweb.peachtest.it", Set.of("qapatchweb.peachtest.it"), "cert", "pwd", STATIC));
+            server.addCertificate(new SSLCertificateConfiguration("*.qapatch2web.peachtest.it", Set.of("qapatch2web.peachtest.it"), "cert", "pwd", STATIC));
+            server.addCertificate(new SSLCertificateConfiguration("*.peachtest.it", Set.of("gemini.peachtest.it"), "cert", "pwd", STATIC));
+
 
             // client requests bad SNI, bad default in listener
             assertNull(server.getListeners().chooseCertificate("no", "no-default"));
 
+            assertEquals("*.qapatchweb.peachtest.it", server.getListeners().chooseCertificate("test.qapatchweb.peachtest.it", "no-default").getId());
+
             // client requests SNI, bad default in listener
             assertEquals("other", server.getListeners().chooseCertificate("other", "no-default").getId());
 
@@ -142,6 +148,7 @@ public void testChooseCertificate() throws Exception {
             assertEquals("*", server.getListeners().chooseCertificate("", null).getId());
             assertEquals("*", server.getListeners().chooseCertificate(null, "").getId());
         }
+
     }
 
     @Test