diff --git a/test/test_ssl_util.py b/test/test_ssl_util.py
index f1e0120b0..0bfd7be05 100644
--- a/test/test_ssl_util.py
+++ b/test/test_ssl_util.py
@@ -64,6 +64,19 @@ class TestSSLCertificate(unittest.TestCase):
     for name in cert.names:
       self.assertTrue(cert.matches_name(name))
 
+  def test_wildcard_hostnames(self):
+    (public_key_data, _) = generate_test_cert(hostname='foo', san_list=['DNS:*.bar'])
+    cert = load_certificate(public_key_data)
+    self.assertEquals(set(['foo', '*.bar']), cert.names)
+
+    for name in cert.names:
+      self.assertTrue(cert.matches_name(name))
+
+    self.assertTrue(cert.matches_name('something.bar'))
+    self.assertTrue(cert.matches_name('somethingelse.bar'))
+    self.assertTrue(cert.matches_name('cool.bar'))
+    self.assertFalse(cert.matches_name('*'))
+
   def test_nondns_hostnames(self):
     (public_key_data, _) = generate_test_cert(hostname='foo', san_list=['URI:yarg'])
     cert = load_certificate(public_key_data)
diff --git a/util/security/ssl.py b/util/security/ssl.py
index 7f0534c9a..f14d2c04e 100644
--- a/util/security/ssl.py
+++ b/util/security/ssl.py
@@ -45,7 +45,7 @@ class SSLCertificate(object):
   def matches_name(self, check_name):
     """ Returns true if this SSL certificate matches the given DNS hostname. """
     for dns_name in self.names:
-      if fnmatch(dns_name, check_name):
+      if fnmatch(check_name, dns_name):
         return True
 
     return False