Re: bad characters encoded on ssl logs coming from x509 cert

Tue, 27 Apr 2010 03:35:27 -0700 

On Tue, Apr 27, 2010, Luis Neves wrote:

> Hi to all,
> 
> I have this data on  ssl_error_log, coming from a client certificate
> 
> [Fri Apr 23 14:13:26 2010] [debug] ssl_engine_kernel.c(1219):
> Certificate Verification: depth: 2, subject: /CN=Cart\\xC3\\xA3o de
> Cidad\\xC3\\xA3o 001/OU=ECEstado/O=SC
> EE - Sistema de Certifica\\xC3\\xA7\\xC3\\xA3o Electr\\xC3\\xB3nica do
> Estado/C=PT, issuer: /C=PT/O=SCEE/CN=ECRaizEstado
> [Fri Apr 23 14:13:26 2010] [debug] ssl_engine_kernel.c(1219):
> Certificate Verification: depth: 1, subject: /C=PT/O=Cart\\xC3\\xA3o
> de Cidad\\xC3\\xA3o/OU=subECEstado/CN=EC de
> Autentica\\xC3\\xA7\\xC3\\xA3o do Cart\\xC3\\xA3o de Cidad\\xC3\\xA3o
> 0003, issuer: /CN=Cart\\xC3\\xA3o de Cidad\\xC3\\xA3o
> 001/OU=ECEstado/O=SCEE - Sistema de Certifica\\xC3\\xA7\\xC3\\xA3o
> Electr\\xC3\\xB3nica do Estado/C=PT
> [Fri Apr 23 14:13:26 2010] [debug] ssl_engine_kernel.c(1219):
> Certificate Verification: depth: 0, subject: /C=PT/O=Cart\\xC3\\xA3o
> de Cidad\\xC3\\xA3o/OU=Autentica\\xC3\\xA7\\xC3\\xA3o do
> Cidad\\xC3\\xA3o/OU=Cidad\\xC3\\xA3o Portugu\\xC3\\xAAs/SN=FIGUEIREDO
> CORREIA DAS NEVES/GN=LU\\xC3\\x8DS
> MIGUEL/serialNumber=BI098289861/CN=LU\\xC3\\x8DS MIGUEL FIGUEIREDO
> CORREIA DAS NEVES, issuer: /C=PT/O=Cart\\xC3\\xA3o de
> Cidad\\xC3\\xA3o/OU=subECEstado/CN=EC de
> Autentica\\xC3\\xA7\\xC3\\xA3o do Cart\\xC3\\xA3o de Cidad\\xC3\\xA3o
> 0003
> 
> this is the data that is coming from the client?
> 
> the '\x' characters are making mod_authz_ldap failing querying the
> ldap server and returning "Bad search filter" instead
> 
> why this \'x' is appearing here, and how do I am suposed to control it?
> 
> The original text on the the certificate is:
> O=Cartão de Cidadão
> CN=EC de Autenticação do Cartão de Cidadão
> 
> PS: Im using Apache 2.2.3 on a Centos 5.4, against openldap
> 

The \x characters are caused by something escaping the UTF8 format characters
in the certificate. This isn't an OpenSSL issue as such but might be down to
the application using the long deprecated X509_NAME_oneline() function instead
of X509_NAME_print_ex().

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to