diff --git a/include/libwebsockets/lws-tokenize.h b/include/libwebsockets/lws-tokenize.h
index 9af6c5977..66b34b41a 100644
--- a/include/libwebsockets/lws-tokenize.h
+++ b/include/libwebsockets/lws-tokenize.h
@@ -259,11 +259,14 @@ lws_strexp_expand(lws_strexp_t *exp, const char *in, size_t len,
  * lws_strcmp_wildcard() - strcmp but the first arg can have wildcards
  *
  * \p wildcard: a string that may contain zero to three *, and may lack a NUL
- * \p len: length of the wildcard string
+ * \p wlen: length of the wildcard string
  * \p check: string to test to see if it matches wildcard
+ * \p clen: length of check string
  *
- * Exactly like strcmp, but supports patterns like "a*", "a*b", "a*b*" etc
- * where a and b are arbitrary substrings
+ * Like strcmp, but supports patterns like "a*", "a*b", "a*b*" etc
+ * where a and b are arbitrary substrings.  Both the wc and check strings need
+ * not be NUL terminated, but are specified by lengths.
  */
 LWS_VISIBLE LWS_EXTERN int
-lws_strcmp_wildcard(const char *wildcard, size_t len, const char *check);
+lws_strcmp_wildcard(const char *wildcard, size_t wlen, const char *check,
+		    size_t clen);
diff --git a/lib/core/libwebsockets.c b/lib/core/libwebsockets.c
index ee7c1e103..a75683f58 100644
--- a/lib/core/libwebsockets.c
+++ b/lib/core/libwebsockets.c
@@ -1169,9 +1169,11 @@ drain:
 }
 
 int
-lws_strcmp_wildcard(const char *wildcard, size_t len, const char *check)
+lws_strcmp_wildcard(const char *wildcard, size_t wlen, const char *check,
+		    size_t clen)
 {
-	const char *match[3], *wc[3], *wc_end = wildcard + len;
+	const char *match[3], *wc[3], *wc_end = wildcard + wlen,
+		   *cend = check + clen;
 	int sp = 0;
 
 	do {
@@ -1240,9 +1242,13 @@ lws_strcmp_wildcard(const char *wildcard, size_t len, const char *check)
 
 		/* we're looking for a post-* match... keep looking... */
 
-	} while (*check);
+	} while (check < cend);
 
-	return !!*wildcard;
+	/*
+	 * We reached the end of check, if also at end of wildcard we're OK
+	 */
+
+	return wildcard != wc_end;
 }
 
 #if LWS_MAX_SMP > 1
diff --git a/lib/system/metrics/metrics.c b/lib/system/metrics/metrics.c
index b7a2accac..8aa48c955 100644
--- a/lib/system/metrics/metrics.c
+++ b/lib/system/metrics/metrics.c
@@ -263,7 +263,8 @@ lws_metrics_check_in_policy(const char *polstring, const char *name)
 		ts.e = (int8_t)lws_tokenize(&ts);
 
 		if (ts.e == LWS_TOKZE_TOKEN) {
-			if (!lws_strcmp_wildcard(ts.token, ts.token_len, name))
+			if (!lws_strcmp_wildcard(ts.token, ts.token_len, name,
+						 strlen(name)))
 				/* yes, we are mentioned in this guy's policy */
 				return 0;
 		}
diff --git a/minimal-examples/api-tests/api-test-lws_tokenize/main.c b/minimal-examples/api-tests/api-test-lws_tokenize/main.c
index 073bdb0b2..b9bbcea9e 100644
--- a/minimal-examples/api-tests/api-test-lws_tokenize/main.c
+++ b/minimal-examples/api-tests/api-test-lws_tokenize/main.c
@@ -322,6 +322,8 @@ static const char *exp_inp1 = "this-is-a-${test}-for-strexp";
 
 int main(int argc, const char **argv)
 {
+	struct lws_context_creation_info info;
+	struct lws_context *cx;
 	struct lws_tokenize ts;
 	lws_tokenize_elem e;
 	const char *p;
@@ -344,6 +346,41 @@ int main(int argc, const char **argv)
 	if ((p = lws_cmdline_option(argc, argv, "-f")))
 		flags = atoi(p);
 
+
+	memset(&info, 0, sizeof info);
+	info.options = LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT |
+		       LWS_SERVER_OPTION_H2_JUST_FIX_WINDOW_UPDATE_OVERFLOW;
+
+	/*
+	 * since we know this lws context is only ever going to be used with
+	 * one client wsis / fds / sockets at a time, let lws know it doesn't
+	 * have to use the default allocations for fd tables up to ulimit -n.
+	 * It will just allocate for 1 internal and 1 (+ 1 http2 nwsi) that we
+	 * will use.
+	 */
+	info.fd_limit_per_thread = 1 + 1 + 1;
+
+#if 0
+#if defined(LWS_WITH_MBEDTLS) || defined(USE_WOLFSSL)
+	/*
+	 * OpenSSL uses the system trust store.  mbedTLS has to be told which
+	 * CA to trust explicitly.
+	 */
+	info.client_ssl_ca_filepath = "./warmcat.com.cer";
+#endif
+#endif
+#if 0
+	n = open("./warmcat.com.cer", O_RDONLY);
+	if (n >= 0) {
+		info.client_ssl_ca_mem_len = read(n, memcert, sizeof(memcert));
+		info.client_ssl_ca_mem = memcert;
+		close(n);
+		n = 0;
+		memcert[info.client_ssl_ca_mem_len++] = '\0';
+	}
+#endif
+	cx = lws_create_context(&info);
+
 	/* lws_strexp */
 
 	{
@@ -668,72 +705,75 @@ int main(int argc, const char **argv)
 		}
 	}
 
-	if (lws_strcmp_wildcard("allied", 6, "allied")) {
+	if (lws_strcmp_wildcard("allied", 6, "allied", 6)) {
 		lwsl_user("%s: wc 1 fail\n", __func__);
 		fail++;
 	}
-	if (lws_strcmp_wildcard("a*", 2, "allied")) {
+	if (lws_strcmp_wildcard("a*", 2, "allied", 6)) {
 		lwsl_user("%s: wc 2 fail\n", __func__);
 		fail++;
 	}
-	if (lws_strcmp_wildcard("all*", 4, "allied")) {
+	if (lws_strcmp_wildcard("all*", 4, "allied", 6)) {
 		lwsl_user("%s: wc 3 fail\n", __func__);
 		fail++;
 	}
-	if (lws_strcmp_wildcard("all*d", 5, "allied")) {
+	if (lws_strcmp_wildcard("all*d", 5, "allied", 6)) {
 		lwsl_user("%s: wc 4 fail\n", __func__);
 		fail++;
 	}
-	if (!lws_strcmp_wildcard("b*", 2, "allied")) {
+	if (!lws_strcmp_wildcard("b*", 2, "allied", 6)) {
 		lwsl_user("%s: wc 5 fail\n", __func__);
 		fail++;
 	}
-	if (!lws_strcmp_wildcard("b*ed", 4, "allied")) {
+	if (!lws_strcmp_wildcard("b*ed", 4, "allied", 6)) {
 		lwsl_user("%s: wc 6 fail\n", __func__);
 		fail++;
 	}
-	if (!lws_strcmp_wildcard("allie", 5, "allied")) {
+	if (!lws_strcmp_wildcard("allie", 5, "allied", 6)) {
 		lwsl_user("%s: wc 7 fail\n", __func__);
 		fail++;
 	}
-	if (lws_strcmp_wildcard("allie*", 6, "allied")) {
+	if (lws_strcmp_wildcard("allie*", 6, "allied", 6)) {
 		lwsl_user("%s: wc 8 fail\n", __func__);
 		fail++;
 	}
-	if (lws_strcmp_wildcard("*llie*", 6, "allied")) {
+	if (lws_strcmp_wildcard("*llie*", 6, "allied", 6)) {
 		lwsl_user("%s: wc 9 fail\n", __func__);
 		fail++;
 	}
-	if (lws_strcmp_wildcard("*llied", 6, "allied")) {
+	if (lws_strcmp_wildcard("*llied", 6, "allied", 6)) {
 		lwsl_user("%s: wc 10 fail\n", __func__);
 		fail++;
 	}
-	if (!lws_strcmp_wildcard("*llie", 5, "allied")) {
+	if (!lws_strcmp_wildcard("*llie", 5, "allied", 6)) {
 		lwsl_user("%s: wc 11 fail\n", __func__);
 		fail++;
 	}
-	if (!lws_strcmp_wildcard("*nope", 5, "allied")) {
+	if (!lws_strcmp_wildcard("*nope", 5, "allied", 6)) {
 		lwsl_user("%s: wc 12 fail\n", __func__);
 		fail++;
 	}
-	if (lws_strcmp_wildcard("*li*", 4, "allied")) {
+	if (lws_strcmp_wildcard("*li*", 4, "allied", 6)) {
 		lwsl_user("%s: wc 13 fail\n", __func__);
 		fail++;
 	}
-	if (lws_strcmp_wildcard("*", 1, "allied")) {
+	if (lws_strcmp_wildcard("*", 1, "allied", 6)) {
 		lwsl_user("%s: wc 14 fail\n", __func__);
 		fail++;
 	}
-	if (lws_strcmp_wildcard("*abc*d", 6, "xxabyyabcdd")) {
+	if (lws_strcmp_wildcard("*abc*d", 6, "xxabyyabcdd", 11)) {
 		lwsl_user("%s: wc 15 fail\n", __func__);
 		fail++;
 	}
-	if (lws_strcmp_wildcard("ssproxy.n.cn.*", 14, "ssproxy.n.cn.failures")) {
+	if (lws_strcmp_wildcard("ssproxy.n.cn.*", 14,
+				"ssproxy.n.cn.failures", 21)) {
 		lwsl_user("%s: wc 16 fail\n", __func__);
 		fail++;
 	}
 
 	lwsl_user("Completed: PASS: %d, FAIL: %d\n", ok, fail);
 
+	lws_context_destroy(cx);
+
 	return !(ok && !fail);
 }