Victor Wagner wrote: > On 2007.12.19 at 11:40:32 -0600, William A. Rowe, Jr. wrote: > >> Victor Wagner wrote: >>> On 2007.12.19 at 10:10:54 +0100, Yann wrote: >>> >>>> The changes regarding X509V3_EXT_print() seems more problematic since the >>>> extensions values are used in string >>>> comparison (strcmp and likes), hence the "human readable version", and >>>> the >>> I hope that saying "human readable" you mean utf-8? >>> I'd say that "\x04\x14\x04<[EMAIL PROTECTED] >>> 49\x00 \x04\x11\x045\x04" hardly means "human readable" >> Uhm - I hope you don't have such patterns in utf-8 strings. > > This pattern - is perfectly readable russian name from certificate CN, > which was printed out such way by now deprecated X509_NAME_oneline > function. You see - just escape sequences instead of readable Cyrillic. > > X509_NAME_oneline always has ASN1_STRFLGS_ESC_MSB flag turned on > (and doesn't allow to specify other flags). > > This flag is still on by default in non-deprecated functions. > > Problem is that ASN.1 has different types of strings. In this case > name was encoded as BMBString rather than UTF8String. And > X509_NAME_oneline doesn't do CONVERSION to Utf8. >
Yes I noticed mod_ssl uses the obsolete X509_NAME_oneline() function all over the place. It has many flaws, mishandling of ASN1 string types, odd display of some attributes and mishandling of multi value AVAs not the least of them. In OpenSSL we would've liked to change X509_NAME_oneline() to a less broken and more Utf8 friendly version but we have to retain compatibility with the old behaviour. Some applications (arguably wrongly) use the output of X509_NAME_oneline() and strcmp() and friends for access control purposes. If we changed the format those would be broken by the change. So instead we froze the X509_NAME_oneline() format, deprecated it and recommended all new applications use X509_NAME_print_ex() instead. Again it shows the problems with trying to parse the output of functions which are only supposed to give a human readable format. I realise in this case that "human readable" is stretching the definition beyond breaking point for X509_NAME_oneline() and the above example. However when it was originally developed (at the dawn of time in SSLeay) BMPStrings and UTF8Strings weren't even supported in the main library. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage.
