Disallow support for a*.example.net
, *a.example.net, and a*b.example.net
in certificate wildcard handling.
RFC 2818 deprecates these esoteric forms, thus RFC 6125 documents them,
but they should never appear in a publicly trusted certificate, and
are dang weird for internal certificates.
Instead, require that the wildcard
- Appear ONLY in the left-most label of a presented name. This is
- Appear as the ONLY character in the label (e.g. it is the full
label). This is the new behaviour.