Hi, On Tuesday 29 July 2014 22:43:00 Kurt Roeckx wrote: > On Tue, Jul 29, 2014 at 10:56:14AM +0100, Rob Stradling wrote: > > And Section 4.2.1.4 says that PrintableString and UTF8String are now > > equally preferred. > > > > Which of these RFCs does OpenSSL (cl)aim to be compliant with? > > I think 5280 makes more sense. If it can be written as a > PrintableString I have no problem with defaulting to a > PrintableString. We clearly only want to write either > UTF8String or PrintableString, at least by default. > > But I'm not sure how for instance racoon works, and why it breaks > exactly, but it sounds like it's broken in any case?
The exact problem is as follows: * One configures racoon to match a certain Name (e.g. C=UK, CN=test) * Racoon runs on a box with an older openssl version * One creates a certificate that matches the name, using a newer openssl version. Then tries to connects to the remote racoon with it. Now racoon has got the certificate which was created with a new openssl version (thus using UTF8String). It then compiles the X509Name from the string in its config, but since it runs on older openssl version the Name uses PrintableString where possible. Racoon then compares these two by comparing first the type and then the content. Since one has UTF8String and the other has PrintableString, it breaks. Obviously this is a bug of racoon (the newer versions seem to have rewritten that port of the code), but this change practically broke racoon for Debian Stable. I.e. creating a new certificate using the same process ended up in a non-working client-server setup, where it was working before. FWIW, I believe that the older OpenSSL version was very decent in generating the name: It had a bitmap of possible types and it was then scanning to determine the minimal type that can be used. For ASCII that was mostly PrintableString. Thanks, Stefanos ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
