httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Re: SSLRequire & UTF-8 characters & backward compatibility
Date Mon, 03 Jan 2011 21:06:41 GMT
On Sunday 02 January 2011, Dr Stephen Henson wrote:
> On 02/01/2011 18:42, Stefan Fritsch wrote:
> > On Sunday 02 January 2011, Dr Stephen Henson wrote:
> >> There is a bug in OpenSSL currently for those options: it
> >> doesn't escape the escape character itself (which it should
> >> treat as a special case and always escape it if any other
> >> escaping is in use). That means some representations are
> >> ambiguous with those options.
> >> 
> >> When that is fixed even 7 bit without control characters will
> >> have at least one difference: the backslash will always appear
> >> escaped as "\\".
> > 
> > I guess backslashes are very seldomly used in certificates.
> > Therefore, I would just document that change for now and only
> > add a backward compatibility option if the change turns out to
> > be a problem for users.
> 
> I'm thinking here how that might be abused. In the current broken
> OpenSSL code it doesn't escape a backslash with those options. So
> the following look identical when printed:
> 
> 1. The single octet 0xFF.
> 
> 2. The three character string "\FF".

The single octet 0xFF should be converted to some UTF8 character 
according to the string type it occurs in, shouldn't it? Since we are 
only escaping control characters I expect that only the codes in the 
range \00 to \1F can appear in \xx form. Is this correct?

Mime
View raw message