Re: Bug in [ policy_match ] among OpenSSL versions?

[Gabriel Marques]

Thanks Dr. Stephen an Mr. Willy Weisz, the comments clarifies the different matching options. Still, bugged with the details that made OpenSSL complain about two strings apparently equal, I've sniffed out the certificates: 0.9.8 SET (1 elem) SEQUENCE (2 elem) OBJECT IDENTIFIER 2.5.4.10 PrintableString [ACME SA] 1.0.0 SET (1 elem) SEQUENCE (2 elem) OBJECT IDENTIFIER 2.5.4.10 UTF8String [ACME SA] So now accented characters seems allowed, though I'm not the one that dare to use them :) BR,    Gabriel. On 19-09-2011 14:20, Dr. Stephen Henson wrote: On Mon, Sep 19, 2011, Gabriel Marques wrote: Hello folks, I'm developing a tool for signing digital TV apps, and for testing I'm creating a lot of different test scenarios. Well, using OpenSSL 1.0.0e to create a new certificate, signed by a snakeoil one I got the following error: --> The stateOrProvinceName field needed to be the same in the --> CA certificate (SP) and the request (SP) As it was just a test, I've changed openssl.conf to: ... [ policy_match ] countryName = match stateOrProvinceName = optional organizationName = match ... But then I get: --> The organizationName field needed to be the same in the --> CA certificate (ACME SA) and the request (ACME SA) I can just put everithing as optional, as it's just a test scenario and this issue is not in the scope of the test, but it made me wonder what was going on, as the Ubuntu distro version of OpenSSL (0.98 k) was not complaining, with the same conf. file. This is expected behaviour. You can use the policy_anything policy instead which is far less strict. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org -- Gabriel Marques R&D Technical Leader Fundação CERTI CCD g...@certi.org.br www.certi.org.br Fone: +55 48 3239-2163 Fax: +55 48 3239-2009 Esta mensagem (incluindo arquivos anexos) contém informações confidenciais, privilegiadas ou protegidas por lei. Ela é dirigida exclusivamente ao seu destinatário que a empregará nos ditames legais. Se você não é o destinatário desta mensagem, deve imediatamente destruí-la e advertir o remetente do erro de envio e a destruição da mensagem. Qualquer divulgação, utilização, disseminação ou reprodução (total ou parcial) desta mensagem ou das informações nela contidas é proibida e sujeitará a sanções criminais a que incorrer, sem prejuízo de perdas e danos. This e-mail (including attached files) contains information that is confidential, privileged or protected by law. It is intended solely for the addressee who will use it under the applicable law. If you are not the intended recipient, you must immediately destroy it and notify the sender of the delivery error and destruction of this message. Any disclosure, use, dissemination or reproduction (in full or in part) of this message or its contents is prohibited and will result in criminal sanctions, without prejudice to any damages.