httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Re: SSLRequire & UTF-8 characters & backward compatibility
Date Thu, 30 Dec 2010 12:43:57 GMT
On Monday 20 December 2010, Stefan Fritsch wrote:
> > > Can
> > > we reject such certificates somehow? Should we close the
> > > connection if we see such a thing in ssl_var_lookup_ssl_cert?
> > > Or should we try to escape the 0-byte in the variable?
> >
> > 
> >
> > The latter. I suggest using ASN1_STRING_print_ex() with
> > ASN1_STRFLGS_RFC2253 & ~ASN1_STRFLGS_ESC_MSB (will escape them as
> > \0).
> 
> OK, makes sense.

ASN1_STRING_print_ex escapes a whole lot of other stuff, too. So this 
change would also introduce an incompatibility with 2.2.x for all the 
SSL_{CLIENT,SERVER}_{I,S}_DN_* variables. For example:

'Snake Oil, Ltd.' versus 'Snake Oil\, Ltd.'

This would then also be covered by the SSLOption LegacyDNStringFormat. 
Is this a good idea? I would like to have opinions from other people 
before committing this.


For reference, here is the list from RFC2253 what is escaped:

    o   a space or "#" character occurring at the beginning of the
        string

    o   a space character occurring at the end of the string

    o   one of the characters ",", "+", """, "\", "<", ">" or ";"

Mime
View raw message