On 2007.12.20 at 13:53:12 +0000, Dr Stephen Henson wrote: > Yes I noticed mod_ssl uses the obsolete X509_NAME_oneline() function all > over the place.
Problem is that it was written long time ago, when no better way exist. Someone have to go over the code and change it to more modern API. And most of OpenSSL applications have same problem. I've already spend considerable time convincing authors of various applications, that OPENSSL_config (which is already here from 0.9.7) ought to be called. May be its worth trouble to add __attribute__(deprecated) to the definition of this function (for GCC target at least). It would make developers of application aware that something changed. Nobody would fix things which are not broken, but compile-time warning may cause re-reading of documentation. > Some applications (arguably wrongly) use the output of > X509_NAME_oneline() and strcmp() and friends for access control > purposes. If we changed the format those would be broken by the change. Really, this is not a big trouble. Typically, one expects that when new version of application is installed (and it would require new version of application, at least new version of package, to switch to newer libraries - typically distribution allow to install several libcrypto versions simultaneously) some config files would be broken and need adaptation to new version. If some tool to convert old access lists to new format would be provided, most system administrators would respect change of unreadable escapes into nice readable UTF-8. I already have some perl code to convert output of X509_NAME_oneline in index.txt files of OpenSSL ca command into readable form. BTW, openssl ca command honor config file parameter utf8=yes, and might be changed to use better functions IF THIS PARAMETER IS SET just now. Concerning Apache which uses a lot of environment variables to export certificate information to scripts, may be it is worth looking to PostgreSQL (8.2+) contrib ssl_info module. It does almost same thing - gives access to client certificate info for informational purpose to triggers and stored procedures. Although it doesn't deal with extensions yet.
