httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <shen...@oss-institute.org>
Subject Re: SSLRequire & UTF-8 characters & backward compatibility
Date Sun, 02 Jan 2011 19:05:17 GMT
On 02/01/2011 18:42, Stefan Fritsch wrote:
> On Sunday 02 January 2011, Dr Stephen Henson wrote:
> 
>> There is a bug in OpenSSL currently for those options: it doesn't
>> escape the escape character itself (which it should treat as a
>> special case and always escape it if any other escaping is in
>> use). That means some representations are ambiguous with those
>> options.
>>
>> When that is fixed even 7 bit without control characters will have
>> at least one difference: the backslash will always appear escaped
>> as "\\".
> 
> I guess backslashes are very seldomly used in certificates. Therefore, 
> I would just document that change for now and only add a backward 
> compatibility option if the change turns out to be a problem for 
> users.
> 

I'm thinking here how that might be abused. In the current broken OpenSSL code
it doesn't escape a backslash with those options. So the following look
identical when printed:

1. The single octet 0xFF.

2. The three character string "\FF".

Steve.
-- 
Dr Stephen N. Henson. Senior Technical/Cryptography Advisor,
Open Source Software Institute: www.oss-institute.org
OpenSSL Core team: www.openssl.org

Mime
View raw message