Am 12.02.2015 um 01:28 schrieb Dave Thompson <dthompson at prinpay.com>: > ASN1 strings set with the "generic" MBSTRING_ types that are for > known/standard OID-value pairs are constrained by tbl_standard in > asn1/a_strnid.c. A few like Country are forced to Printable as per standard. > > Those standardized as DirectoryString are anded with a "default mask" then > a_mbstr.c chooses the "lowest" type supporting the characters in the value. > Which allowed *two* of the eight single-byte types (Teletex and Printable). > This is mentioned, very briefly, in the manpage for X509_NAME_add_entry. > > 1.0.1h in 2014 and later changed this mask to force UTF8 only, I believe > to implement the MUST UTF8 for DirectoryString's in 2459 and 3280, > even though 5280 in 2008 had relaxed it to MUST UTF8 OR Printable, > I suspect to be safe for implementations of the older standard. > > req and ca override this by calling ASN1_STRING_set_default_mask_asc > with the (string) value of string_mask in the configuration if specified, > and > the supplied openssl.cnf back to 1.0.0 in 2009 set utf8only for those utils. > There is also a numeric version ASN1_STRING_set_default_mask . > > HTH. Hi Dave, thanks for your explanation. I wish these changes would have been documented somewhere in the version history of OpenSSL. unsigned long defaultMask = ASN1_STRING_get_default_mask(); ASN1_STRING_set_default_mask (B_ASN1_PRINTABLESTRING); ...add entries? ASN1_STRING_set_default_mask (defaultMask); seems to do the job. J?rg -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150212/439f5758/attachment.html>
