On Monday 20 December 2010, Stefan Fritsch wrote: > > > Can > > > we reject such certificates somehow? Should we close the > > > connection if we see such a thing in ssl_var_lookup_ssl_cert? > > > Or should we try to escape the 0-byte in the variable? > > > > > > > > The latter. I suggest using ASN1_STRING_print_ex() with > > ASN1_STRFLGS_RFC2253 & ~ASN1_STRFLGS_ESC_MSB (will escape them as > > \0). > > OK, makes sense.
ASN1_STRING_print_ex escapes a whole lot of other stuff, too. So this change would also introduce an incompatibility with 2.2.x for all the SSL_{CLIENT,SERVER}_{I,S}_DN_* variables. For example: 'Snake Oil, Ltd.' versus 'Snake Oil\, Ltd.' This would then also be covered by the SSLOption LegacyDNStringFormat. Is this a good idea? I would like to have opinions from other people before committing this. For reference, here is the list from RFC2253 what is escaped: o a space or "#" character occurring at the beginning of the string o a space character occurring at the end of the string o one of the characters ",", "+", """, "\", "<", ">" or ";"