Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 28426 invoked from network); 20 Dec 2007 13:53:22 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 20 Dec 2007 13:53:22 -0000 Received: (qmail 85378 invoked by uid 500); 20 Dec 2007 13:53:08 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 85307 invoked by uid 500); 20 Dec 2007 13:53:08 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 85296 invoked by uid 99); 20 Dec 2007 13:53:08 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 20 Dec 2007 05:53:08 -0800 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of shenson@oss-institute.org designates 67.18.157.234 as permitted sender) Received: from [67.18.157.234] (HELO ns1.oss-institute.org) (67.18.157.234) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 20 Dec 2007 13:52:53 +0000 Received: from [80.177.30.10] (helo=[192.168.7.8]) by ns1.oss-institute.org with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.66) (envelope-from ) id 1J5Lf6-00006R-ET for dev@httpd.apache.org; Thu, 20 Dec 2007 07:42:09 -0600 Message-ID: <476A73C8.5050302@oss-institute.org> Date: Thu, 20 Dec 2007 13:53:12 +0000 From: Dr Stephen Henson User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: SSL client certificate extensions requirements backport References: <4767CADB.3020009@bee-ware.net> <4767D571.3040707@oss-institute.org> <4768E01E.80405@bee-ware.net> <20071219173425.GB9227@wagner.pp.ru> <47695790.60707@rowe-clan.net> <20071220133339.GA30860@wagner.pp.ru> In-Reply-To: <20071220133339.GA30860@wagner.pp.ru> X-Enigmail-Version: 0.95.5 Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - ns1.oss-institute.org X-AntiAbuse: Original Domain - httpd.apache.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - oss-institute.org X-Source: X-Source-Args: X-Source-Dir: X-Virus-Checked: Checked by ClamAV on apache.org Victor Wagner wrote: > On 2007.12.19 at 11:40:32 -0600, William A. Rowe, Jr. wrote: > >> Victor Wagner wrote: >>> On 2007.12.19 at 10:10:54 +0100, Yann wrote: >>> >>>> The changes regarding X509V3_EXT_print() seems more problematic since the >>>> extensions values are used in string >>>> comparison (strcmp and likes), hence the "human readable version", and >>>> the >>> I hope that saying "human readable" you mean utf-8? >>> I'd say that "\x04\x14\x04<\x048\x04B\x04@\x048\x0 >>> 49\x00 \x04\x11\x045\x04" hardly means "human readable" >> Uhm - I hope you don't have such patterns in utf-8 strings. > > This pattern - is perfectly readable russian name from certificate CN, > which was printed out such way by now deprecated X509_NAME_oneline > function. You see - just escape sequences instead of readable Cyrillic. > > X509_NAME_oneline always has ASN1_STRFLGS_ESC_MSB flag turned on > (and doesn't allow to specify other flags). > > This flag is still on by default in non-deprecated functions. > > Problem is that ASN.1 has different types of strings. In this case > name was encoded as BMBString rather than UTF8String. And > X509_NAME_oneline doesn't do CONVERSION to Utf8. > Yes I noticed mod_ssl uses the obsolete X509_NAME_oneline() function all over the place. It has many flaws, mishandling of ASN1 string types, odd display of some attributes and mishandling of multi value AVAs not the least of them. In OpenSSL we would've liked to change X509_NAME_oneline() to a less broken and more Utf8 friendly version but we have to retain compatibility with the old behaviour. Some applications (arguably wrongly) use the output of X509_NAME_oneline() and strcmp() and friends for access control purposes. If we changed the format those would be broken by the change. So instead we froze the X509_NAME_oneline() format, deprecated it and recommended all new applications use X509_NAME_print_ex() instead. Again it shows the problems with trying to parse the output of functions which are only supposed to give a human readable format. I realise in this case that "human readable" is stretching the definition beyond breaking point for X509_NAME_oneline() and the above example. However when it was originally developed (at the dawn of time in SSLeay) BMPStrings and UTF8Strings weren't even supported in the main library. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.co.uk/ Email: shenson@drh-consultancy.co.uk, PGP key: via homepage.