Heikki Kallasjoki wrote:
The OpenSSL-based common name extraction code in current revision (2965) of the BETA21 branch is still incorrect in the cases where the extracted field is the first one in the DN:extract_x509_field_ssl: int lastpos = -1; int tmp = -1; ... do { lastpos = tmp; tmp = X509_NAME_get_index_by_NID(x509, nid, lastpos); } while (tmp > 0); When there is only one common name field in the DN and it is the first field, the first call of X509_NAME_get_index_by_NID will return the index 0, at which point the loop will terminate, leaving -1 in lastpos and causing the extract_x509_field_ssl function to fail. Changing the test to "tmp > -1" fixes the bug, since X509_NAME_get_index_by_NID will return -1 if the field is not found. (This sort of situation happens with cacert.org client certificates, where the subject name is of the form "/CN=Real Name/[email protected]".)
A fix for this has been committed: ------------------------------------------------------------------------ r2980 | james | 2008-06-04 00:17:53 -0600 (Wed, 04 Jun 2008) | 6 lines Changed paths: M /branches/BETA21/openvpn/ssl.c Fixed an issue in extract_x509_field_ssl where the extraction would fail on the first field of the subject name, such as the common name in: /CN=foo/[email protected] ------------------------------------------------------------------------ James
