From b48c284c42205483fcc5e02b9d68d7bbd6a1c370 Mon Sep 17 00:00:00 2001
From: Mateusz Poliwczak <mpoliwczak34@gmail.com>
Date: Thu, 20 Apr 2023 19:49:07 +0200
Subject: [PATCH] crypto/x509: clarify wildcard matching according to rfc6125

---
 src/crypto/x509/verify.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
index 0b01f8b4753..8f9610f8e6d 100644
--- a/src/crypto/x509/verify.go
+++ b/src/crypto/x509/verify.go
@@ -1081,7 +1081,7 @@ func toLowerCaseASCII(in string) string {
 // IP addresses can be optionally enclosed in square brackets and are checked
 // against the IPAddresses field. Other names are checked case insensitively
 // against the DNSNames field. If the names are valid hostnames, the certificate
-// fields can have a wildcard as the left-most label.
+// fields can have a wildcard as the complete left-most label (e.g. *.example.com).
 //
 // Note that the legacy Common Name field is ignored.
 func (c *Certificate) VerifyHostname(h string) error {