On Sun, Apr 28, 2002 at 08:07:43PM +0100, Dr S N Henson wrote:
> By default the code ultimately uses the old X509_NAME_print function to
> display DNs. This results in the weirdness mentioned and all manner of
> odd output if the DN contains things like BMPStrings.
>
> X509_NAME_print is only retained for compatibility. Changing it might do
> odd things if anyone parses or hashes its output for some reason: that
> isn't advisable but something might.
>
> If appropriate flags are passed to the X509_print_ex function then much
> more sensible output is produced using the X509_NAME_print_ex function.
> The -nameopt option can be used for this (see manual page): -nameopt
> oneline is a good place to start.
>
> I'd say that X509_NAME_print shouldn't be touched because new code
> should call X509_NAME_print_ex()
>
> However a new FAQ entry might be in order or possibly changing the
> default display options so that the old behaviour is no longer the
> default and adding a "-nameopt old" option is explicitly needed instead.
-nameopt compat shall retain compatibility.
Hmm, make "oneline" the new default? Or rather leave it "as is" and just
add it to the FAQ. Robert Joop and Michael Bell, active in discussing
DN issues, are with the OpenCA project. It should be possible for them
to catch the problem by using an appropriate command line flag when
calling "openssl x509".
With 0.9.7 we have traded compatibility in some cases. Applications linking
against OpenSSL can always check OPENSSL_VERSION. This is far more
difficult for applications externally calling OpenSSL's command line
tools...
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
