Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 43033 invoked from network); 3 Jan 2011 21:07:12 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 3 Jan 2011 21:07:12 -0000 Received: (qmail 79044 invoked by uid 500); 3 Jan 2011 21:07:11 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 78852 invoked by uid 500); 3 Jan 2011 21:07:11 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 78844 invoked by uid 99); 3 Jan 2011 21:07:11 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 03 Jan 2011 21:07:11 +0000 X-ASF-Spam-Status: No, hits=-2.3 required=10.0 tests=RCVD_IN_DNSWL_MED,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [188.40.99.202] (HELO eru.sfritsch.de) (188.40.99.202) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 03 Jan 2011 21:07:04 +0000 Received: from [10.1.1.6] (helo=k.localnet) by eru.sfritsch.de with esmtp (Exim 4.69) (envelope-from ) id 1PZrc2-0006bF-Qm for dev@httpd.apache.org; Mon, 03 Jan 2011 22:06:42 +0100 From: Stefan Fritsch To: dev@httpd.apache.org Subject: Re: SSLRequire & UTF-8 characters & backward compatibility Date: Mon, 3 Jan 2011 22:06:41 +0100 User-Agent: KMail/1.13.5 (Linux/2.6.32-5-amd64; KDE/4.4.5; x86_64; ; ) References: <284733045.25.1290005636636.JavaMail.root@iris> <201101021942.45177.sf@sfritsch.de> <4D20CC6D.4070707@oss-institute.org> In-Reply-To: <4D20CC6D.4070707@oss-institute.org> MIME-Version: 1.0 Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <201101032206.42151.sf@sfritsch.de> On Sunday 02 January 2011, Dr Stephen Henson wrote: > On 02/01/2011 18:42, Stefan Fritsch wrote: > > On Sunday 02 January 2011, Dr Stephen Henson wrote: > >> There is a bug in OpenSSL currently for those options: it > >> doesn't escape the escape character itself (which it should > >> treat as a special case and always escape it if any other > >> escaping is in use). That means some representations are > >> ambiguous with those options. > >> > >> When that is fixed even 7 bit without control characters will > >> have at least one difference: the backslash will always appear > >> escaped as "\\". > > > > I guess backslashes are very seldomly used in certificates. > > Therefore, I would just document that change for now and only > > add a backward compatibility option if the change turns out to > > be a problem for users. > > I'm thinking here how that might be abused. In the current broken > OpenSSL code it doesn't escape a backslash with those options. So > the following look identical when printed: > > 1. The single octet 0xFF. > > 2. The three character string "\FF". The single octet 0xFF should be converted to some UTF8 character according to the string type it occurs in, shouldn't it? Since we are only escaping control characters I expect that only the codes in the range \00 to \1F can appear in \xx form. Is this correct?