httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <>
Subject Re: SSL client certificate extensions requirements backport
Date Thu, 20 Dec 2007 13:53:12 GMT
Victor Wagner wrote:
> On 2007.12.19 at 11:40:32 -0600, William A. Rowe, Jr. wrote:
>> Victor Wagner wrote:
>>> On 2007.12.19 at 10:10:54 +0100, Yann wrote:
>>>> The changes regarding X509V3_EXT_print() seems more problematic since the

>>>> extensions values are used in string
>>>> comparison (strcmp and likes), hence the "human readable version", and 
>>>> the 
>>> I hope that saying "human readable" you mean utf-8?
>>> I'd say that "\x04\x14\x04<\x048\x04B\x04@\x048\x0
>>> 49\x00 \x04\x11\x045\x04" hardly means "human readable"
>> Uhm - I hope you don't have such patterns in utf-8 strings.
> This pattern - is perfectly readable russian name from certificate CN,
> which was printed out such way by now deprecated X509_NAME_oneline
> function. You see - just escape sequences instead of readable Cyrillic.
> X509_NAME_oneline always has ASN1_STRFLGS_ESC_MSB flag turned on
> (and doesn't allow to specify other flags).
> This flag is still on by default in non-deprecated functions.
> Problem is that ASN.1 has different types of strings. In this case
> name was encoded as BMBString rather than UTF8String. And
> X509_NAME_oneline doesn't do CONVERSION to Utf8.

Yes I noticed mod_ssl uses the obsolete X509_NAME_oneline() function all
over the place.

It has many flaws, mishandling of ASN1 string types, odd display of some
attributes and mishandling of multi value AVAs not the least of them.

In OpenSSL we would've liked to change X509_NAME_oneline() to a less
broken and more Utf8 friendly version but we have to retain
compatibility with the old behaviour.

Some applications (arguably wrongly) use the output of
X509_NAME_oneline() and strcmp() and friends for access control
purposes. If we changed the format those would be broken by the change.

So instead we froze the X509_NAME_oneline() format, deprecated it and
recommended all new applications use X509_NAME_print_ex() instead.

Again it shows the problems with trying to parse the output of functions
which are only supposed to give a human readable format.

I realise in this case that "human readable" is stretching the
definition beyond breaking point for X509_NAME_oneline() and the above
example. However when it was originally developed (at the dawn of time
in SSLeay) BMPStrings and UTF8Strings weren't even supported in the main

Dr Stephen N. Henson.
Core developer of the   OpenSSL project:
Freelance consultant see:
Email:, PGP key: via homepage.

View raw message