On Mon, Jul 07, 2014, Dave Thompson wrote: > > The only thing that springs to mind that could be invisible is string types > and > some options of the cert Issuer fields vs the CA Subject. RFC 5280 requires > a > fairly complicated Unicode-aware comparison algorithm which I believe > openssl > does (it definitely canonicalizes before comparison, but I haven't gone > through > the canonicalization to make sure it exactly matches the RFC); browsers > might > not do the same (perhaps indirectly) although I'd be surprised if NONE do. >
OpenSSL currently doesn't perform the full canonicalisation of RFC5280. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
