--- a/config.c	2015-01-26 17:47:53.000000000 +0100
+++ b/config.c	2015-11-18 18:20:16.431223194 +0100
@@ -889,6 +889,25 @@
 }
 
 #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
+/*
+ * Basic wildcard matching
+ * replace with X509_check_host at some point in the future
+ * beware of https://rt.openssl.org/Ticket/Display.html?id=3288
+ */
+static int
+SNI_match_name(const char *pattern, const char *name)
+{
+    short       is_wildcard;
+    const char *cp;
+
+    /* easy wildcard checking - check left-most DNS label only */
+    is_wildcard = (pattern[0] == '*' && pattern[1] == '.');
+    if (is_wildcard)
+        return ((cp = strchr(name, '.')) != NULL && strcasecmp(pattern+1, cp) == 0);
+    else
+        return (strcasecmp(pattern, name) == 0);
+}
+
 static int
 SNI_server_name(SSL *ssl, int *dummy, POUND_CTX *ctx)
 {
@@ -902,7 +922,7 @@
 
     SSL_set_SSL_CTX(ssl, NULL);
     for(pc = ctx; pc; pc = pc->next) {
-        if(fnmatch(pc->server_name, server_name, 0) == 0) {
+        if(SNI_match_name(pc->server_name, server_name)) {
             /* logmsg(LOG_DEBUG, "Found cert for %s", servername); */
             SSL_set_SSL_CTX(ssl, pc->ctx);
             return SSL_TLSEXT_ERR_OK;
@@ -911,7 +931,7 @@
             int i;
 
             for(i = 0; i < pc->subjectAltNameCount; i++) {
-                if(fnmatch(pc->subjectAltNames[i], server_name, 0) == 0) {
+                if(SNI_match_name(pc->subjectAltNames[i], server_name)) {
                     SSL_set_SSL_CTX(ssl, pc->ctx);
                     return SSL_TLSEXT_ERR_OK;
                 }