On Monday 20 December 2010, Stefan Fritsch wrote:
> > > Can
> > > we reject such certificates somehow? Should we close the
> > > connection if we see such a thing in ssl_var_lookup_ssl_cert?
> > > Or should we try to escape the 0-byte in the variable?
> >
> >
> >
> > The latter. I suggest using ASN1_STRING_print_ex() with
> > ASN1_STRFLGS_RFC2253 & ~ASN1_STRFLGS_ESC_MSB (will escape them as
> > \0).
>
> OK, makes sense.
ASN1_STRING_print_ex escapes a whole lot of other stuff, too. So this
change would also introduce an incompatibility with 2.2.x for all the
SSL_{CLIENT,SERVER}_{I,S}_DN_* variables. For example:
'Snake Oil, Ltd.' versus 'Snake Oil\, Ltd.'
This would then also be covered by the SSLOption LegacyDNStringFormat.
Is this a good idea? I would like to have opinions from other people
before committing this.
For reference, here is the list from RFC2253 what is escaped:
o a space or "#" character occurring at the beginning of the
string
o a space character occurring at the end of the string
o one of the characters ",", "+", """, "\", "<", ">" or ";"
