Thanks Dr. Stephen an Mr. Willy Weisz, the comments clarifies the
different matching options. Still, bugged with the details that made OpenSSL complain about two strings apparently equal, I've sniffed out the certificates: 0.9.8 SET (1 elem)
SEQUENCE (2 elem)
OBJECT IDENTIFIER 2.5.4.10
PrintableString [ACME
SA]
BR,1.0.0 SET (1 elem)
SEQUENCE (2 elem)
OBJECT IDENTIFIER
2.5.4.10
UTF8String [ACME
SA]
So now accented characters seems allowed, though I'm not the one that dare to use them :) Gabriel. On 19-09-2011 14:20, Dr. Stephen Henson wrote: On Mon, Sep 19, 2011, Gabriel Marques wrote:Hello folks,I'm developing a tool for signing digital TV apps, and for testing I'm creating a lot of different test scenarios. Well, using OpenSSL 1.0.0e to create a new certificate, signed by a snakeoil one I got the following error: --> The stateOrProvinceName field needed to be the same in the --> CA certificate (SP) and the request (SP) As it was just a test, I've changed openssl.conf to: ... [ policy_match ] countryName = match stateOrProvinceName = optional organizationName = match ... But then I get: --> The organizationName field needed to be the same in the --> CA certificate (ACME SA) and the request (ACME SA) I can just put everithing as optional, as it's just a test scenario and this issue is not in the scope of the test, but it made me wonder what was going on, as the Ubuntu distro version of OpenSSL (0.98 k) was not complaining, with the same conf. file.This is expected behaviour. You can use the policy_anything policy instead which is far less strict. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org --
|
- Bug in [ policy_match ] among OpenSSL versions? Gabriel Marques
- Re: Bug in [ policy_match ] among OpenSSL versions... Willy Weisz
- Re: Bug in [ policy_match ] among OpenSSL versions... Dr. Stephen Henson
- Re: Bug in [ policy_match ] among OpenSSL vers... Gabriel Marques