On Monday 20 December 2010, Stefan Fritsch wrote:
> > > Can
> > > we reject such certificates somehow? Should we close the
> > > connection if we see such a thing in ssl_var_lookup_ssl_cert?
> > > Or should we try to escape the 0-byte in the variable?
> >
> > 
> >
> > The latter. I suggest using ASN1_STRING_print_ex() with
> > ASN1_STRFLGS_RFC2253 & ~ASN1_STRFLGS_ESC_MSB (will escape them as
> > \0).
> 
> OK, makes sense.

ASN1_STRING_print_ex escapes a whole lot of other stuff, too. So this 
change would also introduce an incompatibility with 2.2.x for all the 
SSL_{CLIENT,SERVER}_{I,S}_DN_* variables. For example:

'Snake Oil, Ltd.' versus 'Snake Oil\, Ltd.'

This would then also be covered by the SSLOption LegacyDNStringFormat. 
Is this a good idea? I would like to have opinions from other people 
before committing this.


For reference, here is the list from RFC2253 what is escaped:

    o   a space or "#" character occurring at the beginning of the
        string

    o   a space character occurring at the end of the string

    o   one of the characters ",", "+", """, "\", "<", ">" or ";"

Reply via email to