Opened 13 years ago

Closed 12 years ago

Last modified 12 years ago

#105 closed Bug / Defect (fixed)

Lack of support for characters above the 7-bit range in Common Name, X509 Subject and username strings

Reported by: Samuli Seppänen Owned by:
Priority: minor Milestone: beta 2.3
Component: Certificates Version: OpenVPN git master branch (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

This ticket is migrated from SF.net. Dazo's analysis:

I just checked the source code, and it will allow the lower 7bits to pass through when --no-name-remapping is done. The 7bit range are between the value between 0 and 127 (0x7F). For non-English based names/data, this can be too restrictive as they might expect 8bit width (0-255/0xFF) or support for UTF-8/UTF-16 character sets. CR (0x0D) and LF (0x0A) are replaced with '_' (underbar). Tabs, despite what the documentation says, are passed through, as far as I can understand. In general characters below the value of 32 (0x20) should not need to be passed through at all - but that's
another discussion.

However, to widen up this range further needs to be investigated much closer. Especially to support multi-byte characters via UTF-8/UTF-16. Anyhow, I think the core issue of this ticket is lack of support for characters above the 7bit range.

Change History (2)

comment:1 Changed 12 years ago by David Sommerseth

Resolution: fixed
Status: newclosed

This support should be covered in OpenVPN 2.3. Please re-open if this is not solved.

commit 5e86fd93779482b90a191f929edebe414cd78a4f
Author: Heiko Hund <heiko.hund@sophos.com>
Date:   Sat Feb 4 12:56:24 2012 +0000

    UTF-8 X.509 distinguished names
    
    The UTF-8 support that came with commit 2627335 does allow international
    usernames and passwords. This patch introduces UTF-8 support for X.509 DNs.
    Additionally, instead of using the legacy openssl format, DNs are now
    displayed in RFC 2253 format; "/C=ru/L=\xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0
    \xB2\xD0\xB0/O=\xD0\x9A\xD1\x80\xD0\xB5\xD0\xBC\xD0\xBB\xD1\x8C/CN=kreml.ru"
    becomes "C=ru, L=Москва, O=Кремль, CN=kreml.ru".
    
    Since the specific character classes for X.509 names are removed, the
    "no-name-remapping" configuration option has no use anymore and is removed
    as well.
    
    Signed-off-by: Heiko Hund <heiko.hund@sophos.com>
    Acked-by: Adriaan de Jong <dejong@fox-it.com>
    Acked-by: David Sommerseth <davids@redhat.com>
    Signed-off-by: David Sommerseth <davids@redhat.com>

comment:2 Changed 12 years ago by David Sommerseth

Milestone: beta 2.3
Note: See TracTickets for help on using tickets.