On Wed, 2022-01-26 at 15:59 -0800, Andres Freund wrote: > > > Do we have a testcase for embedded NULLs in common names? > > > > We don't, neither for OpenSSL or NSS. AFAICR Jacob spent days trying to > > get a > > certificate generation to include an embedded NULL byte but in the end gave > > up. > > We would have to write our own tools for generating certificates to add that > > (which may or may not be a bad idea, but it hasn't been done). > > Hah, that's interesting.
Yeah, OpenSSL just refused to do it, with any method I could find at least. My personal test suite is using pyca/cryptography and psycopg2 to cover that case. --Jacob
