From: Victor W. <vi...@wa...> - 2009-10-25 20:13:16
|
On 2009.10.24 at 13:39:56 -0600, James Yonan wrote: > Victor Wagner wrote: > > I've found out that string_mod family of function do very bad job > > with certificates with cyrillic characters in the subject. > > > > As of OpenVPN 2.1_rc19 class CC_PRINT is determined by function > > isprint from ctype.h, which does wrong job if there was no setlocale > > call (and there is no setlocale call in the OpenVPN). > > > > Can you submit a patch (as an email attachment) with this fix? > > My only concern would be if there are ways an attacker could use chars > that are >= 128 to attack a shell or server-side auth script. > > I think it would be better to have this turned off by default, but have > an option to enable it, like the no-name-remapping option in 2.1. If this option wouldn't conflict with script-security 3 system (as "no-name-remapping" does, it would be nice. Tomorrow I'd cut this patch out of my patch to openvpn 2.1rc19 It would require some time, because I now use OpenVPN with following addititonal functionality: 1. Support for non-HMAC packet authentication algorithm (requires OpenSSL 1.0, where support for non-HMAC MAC algorithms appeared) 2. Support for loading private keys from crypto hardware module via OpenSSL engine API, not PKCS11 API, using other engine than set by engine configuration parameter. 3. Export of certificate extension subjectAltName to scripts. 4. Support for CC_MSB character class. |