On Wed, 2008-08-13 at 17:03 -0700, Mohan, Dharmendra wrote: > Hi, > > > > I had a list of CA certificates, a few with different encoding > than PRINTABLE encoding like T61 and UTF8. I am running into the > problem of not able to verify some of the certificates issued by CA > certificates in cert store despite the fact that they do exist in the > store. > > > > Deep analysis of the code revealed that the problem is with sorting and > searching. The sorted list is not correct and hence the binary search fails. > The root cause of the problem turned out to be the function – X509_NAME_cmp. > It appears that it doesn’t implement the comparisons as specified in RFC5280 > which refers to RFC4518 for rules to do comparison for Internationalized > Names in Distinguished Names. To quote from RFC4518 – > > The lack of precise specification for character string matching has > led to significant interoperability problems. When used in > certificate chain validation, security vulnerabilities can arise. > To > address these problems, this document defines precise algorithms > for > preparing character strings for matching. > > Is there a plan to implement RFC4518 for comparison rules? Or are they being > implemented currently? > > Is their a workaround to support a list of CA certificates with mixed > encoding in the meantime?
We've ran into the same issues earlier. There are two open PR tracker items, but apart from some hacky patches no real solution exists. -- Bazsi ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
