On Tue, Nov 30, 2004, Dr. Stephen Henson wrote: > On Mon, Nov 29, 2004, Manfred Faulandt wrote: > > > > > Many thanks for the very competent answer. We noticed the UTF8 encoding > > but thought about it as a "why not?" matter (and we didn't look into a > > RFC neither). > > > > The CA is a Microsoft Shop and Internet Explorer is happy with the > > certificates they issue. I'll check their site again for somthing like a > > "name rollover" certificate but as far as I remember they offer nothing > > - at least not yet - in this direction. > > > > It looks like it doesn't support a "name rollover" certificate. IE works > because it uses key ID matching as I suspected earlier. > > I think the only real solution is to have OpenSSLs name comparison code at > least partially handle comparisons between character types. > > I've been looking for a good excuse to look at that code for a while. What we > currently have isn't very efficient and it doesn't cope with all cases either. > > I may be gone for some time... >
I've committed a fix which will handle that particular case if the trusted root CA is preloaded: that is passed with the equivalent of -CAfile and not -CApath. It will appear in the next snapshot. I'll look into a more efficient fix. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]